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Abstract Combining higher-order abstract syntax and (co)-induction in a logical frame- 
work is well known to be problematic. We describe the theory and the practice of a tool 
called Hybrid, within Isabelle/HOL and Coq, which aims to address many of these dif- 
ficulties. It allows object logics to be represented using higher-order abstract syntax, and 
reasoned about using tactical theorem proving and principles of (co)induction. Moreover, 
it is definitional, which guarantees consistency within a classical type theory. The idea is 
to have a de Bruijn representation of A-terms providing a definitional layer that allows the 
user to represent object languages using higher-order abstract syntax, while offering tools 
for reasoning about them at the higher level. In this paper we describe how to use Hy- 
brid in a multi-level reasoning fashion, similar in spirit to other systems such as Twelf and 
Abella. By explicitly referencing provability in a middle layer called a specification logic, 
we solve the problem of reasoning by (co)induction in the presence of non-stratifiable hy- 
pothetical judgments, which allow very elegant and succinct specifications of object logic 
inference rales. We first demonstrate the method on a simple example, formally proving 
type soundness (subject reduction) for a fragment of a pure functional language, using a 
minimal intuitionistic logic as the specification logic. We then prove an analogous result 
for a continuation-machine presentation of the operational semantics of the same language, 
encoded this time in an ordered linear logic that serves as the specification layer. This exam- 
ple demonstrates the ease with which we can incorporate new specification logics, and also 
illustrates a significantly more complex object logic whose encoding is elegantly expressed 
using features of the new specification logic. 
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1 Introduction 

Logical frameworks provide general languages in which it is possible to represent a wide 
variety of logics, programming languages, and other formal systems. They are designed to 
capture uniformities of the deductive systems of these object logics and to provide support 
for implementing and reasoning about them. One application of particular interest of such 
frameworks is the specification of programming languages and the formalization of their 
semantics in view of formal reasoning about important properties of these languages, such 
as their soundness. Programming languages that enjoy such properties provide a solid basis 
for building software systems that avoid a variety of harmful defects, leading to systems that 
are significantly more reliable and trustworthy. 

The mechanism by which object-logics are represented in a logical framework has a 
paramount importance on the success of a formalization. A naive choice of representation 
can seriously endanger a project almost from the start, making it almost impossible to move 
beyond the very first step of the developments of a case study (see [71], which barely goes 
beyond encoding the syntax of the TT-calculus). 

Higher-Order Abstract Syntax (HOAS) is a representation technique used in some logi- 
cal frameworks. Using HOAS, whose idea dates back to Church [24], binding constructs 
in an object logic are encoded within the function space provided by a meta-language 
based on a A -calculus. For example, consider encoding a simple functional programming 
language such as Mini-ML [26] in a typed meta-language, where object-level programs 
are represented as meta-level terms of type expr. We can introduce a constant fun of type 
{expr expr) expr to represent functions of one argument. Using such a representation 
allows us to delegate to the meta-language a-conversion and capture-avoiding substitution. 
Further, object logic substitution can be rendered as meta-level jS -conversion. However, ex- 
periments such as the one reported in [79] suggest that the full benefits of HOAS can be 
enjoyed only when the latter is paired with support for hypothetical and parametric judg- 
ments [51, 66, 90]. Such judgments are used, for example, in the well-known encoding of 
inference rules assigning simple types to Mini-ML programs. Both the encoding of pro- 
grams and the encoding of the typing predicate typically contain negative occurrences of 
the type or predicate being defined (e.g., the underlined occun^ence of expr in the type of 
fun above). This rules out any naive approach to view those set-theoretically as least fixed 
points [49, 89] or type-theoretically as inductive types, which employ strict positivity [88] to 
enforce strong normalization. As much as HOAS sounds appealing, it raises the question(s): 
how are we going to reason about such encodings, in particular are there induction and case 
analysis principles available? 

Among the many proposals — that we will survey in Section 6 — one solution that has 
emerged in the last decade stands out: specification and (inductive) meta-reasoning should 
be handled within a single system but at different levels. The first example of such a meta- 
logic was FOX^^ [69], soon to be followed by its successor. Line [109].' They are both 

' This is by no way the end of the story; on the contrary, the development of these ambient logics is very 
much a work in progress: Tiu [110] introduced the system LC" to get rid of the local signatures required by 
Line's V quantifier. Even more recently Gacek, Miller & Nadathur presented the logic f# to ease reasoning 
on open terms and implemented it in the Ahetla system [42^4]. However, as this overdue report of our 
approach describes with an undeniable tardiness a system that was developed before the aforementioned new 
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based on intuitionistic logic augmented with introduction and elimination rules for defined 
atoms (partial inductive definitions, PIDs [50]), in particular definitional refiection (defL), 
which provides support for case analysis. While FOTi'^^ has only induction on natural 
numbers as the primitive form of inductive reasoning, the latter generalizes that to stan- 
dard forms of induction and co-induction [82]; Line also introduces the so-called "nabla" 
quantifier V [76] to deal with parametric judgments. This quantifier accounts for the dual 
properties of eigenvariables, \mm&\y freshness (when viewed as constants introduced by the 
quantifier right rule) and instantiability as a consequence of the left rule and case analysis. 
Consistency and viability of proof search are ensured by cut-elimination [68, 109]. Inside 
the meta-language, a specification logic (SL) is developed that is in turn used to specify 
and (inductively) reason about the object logic/language (OL) under study. This partition 
avoids the issue of inductive meta-reasoning in the presence of negative occurrences in OL 
judgments, since hypothetical judgments are intensionally read in terms of object-level prov- 
ability. The price to pay is coping with this additional layer where we explicitly reference the 
latter. Were we to work with only a bare proof-checker, this price could be indeed deemed 
too high; however, if we could rely on some form of automation such as tactical theorem 
proving, the picture would be significantly different. 

The first author has proposed in [36] that, rather than implementing an interactive theo- 
rem prover for such meta-logics from scratch, they can be simulated within a modem proof 
assistant. (Coq [14] in that case.) The correspondence is roughly as follows: the ambient 
logic of the proof assistant in place of the basic (logical) inference rules of FOX^^ , intro- 
duction and elimination (inversion) rules of inductive types (definitions) in place of the defR 
and defL rules of PIDs. ^ Both approaches introduce a minimal sequent calculus [59] as a SL, 
and a Prolog-like set of clauses for the OL. Nevertheless, in a traditional inductive setting, 
this is not quite enough, as reasoning by inversion crucially depends on simplifying in the 
presence of constructors. When such constructors are non-inductive, which is typically the 
case with variable-binding operators, this presents a serious problem. The approach used in 
that work was axiomatic: encode the HOAS signature with a set of constants and add a set 
of axioms stating the freeness and extensionality properties of the constants. With the criti- 
cal use of those axioms, it was shown that it is possible to replicate, in the well-understood 
and interactive setting of Coq, the style of proofs typical of FOX^^ . In particular, subject 
reduction for Mini-ML is formalized in [36] following this style very closely; this means 
that the theorem is proved immediately without any "technical" lemmas required by the 
choice of encoding technique or results that may be trivial but are intrinsically foreign to the 
mathematics of the problem. Moreover, HOAS proofs of subject reduction typically do not 
require weakening or substitutions lemmas, as they are implicit in the higher-order nature of 
the encoding. However, this approach did not offer any formal justification to the axiomatic 
approach and it is better seen as a proof-of-concept more than foundational work. 

The Hybrid tool [3] was developed around the same time: it implements a higher-order 
meta-language within Isabelle/HOL [84] that provides a form of HOAS for the user to repre- 
sent OLs. The user level is separated from the infrastructure, in which HOAS is implemented 
definitionally via a de Bruijn style encoding. Lemmas stating properties such as freeness and 
extensionality of constructors are proved and no additional axioms are required. 



contributions, we will take the liberty to refer to Line as the "canonical" two-level system. We will discuss 
new developments in more depth in Section 6.1. 

^ The defL rule for PIDs may use full higher-order unification, while inversion in an inductive proof as- 
sistant typically generates equations that may or may not be further simplified, especially at higher-order 
types. 
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Fig. 1 Architecture of the Hybrid system 



Syntax: funx.E x,f\xx.E x... 
Semantics: typing E . t,. . . 

Sequent calculus: F l>„ G 



Meta-language: quasi 
datatype for a A -calculus 



Ambient logic: 

tactics/simplifier 

(co)induction 



It was therefore natural to combine the HOAS meta-language provided by Hybrid with 
Miller & McDowell's two-level approach, modified for inductive proof assistants. We im- 
plement this combined architecture in both Isabelle/HOL and Coq, but we speculate that 
the approach also works for other tactic-based inductive proof assistants, such as PVS [87], 
LEGO [62] etc. We describe mainly the Isabelle/HOL version here, though we compare it 
in some detail with the Coq implementation.^ A graphical depiction of the architecture is 
shown in Figure 1. We often refer to the Hybrid and Isabelle/HOL levels together as the 
meta-logic. When we need to distinguish the Isabelle/HOL level on its own, we call it the 
meta-meta-logic. When we say two-level reasoning, we are referring to the object and spec- 
ification levels, to emphasize that there are two separate reasoning levels in addition to the 
meta-level. 

Moreover, we suggest a further departure in design (Section 4.4) from the original two- 
level approach [69]: when possible, i.e., when the structural properties of the meta-logic are 
coherent with the style of encoding of the OL, we may reserve for the specification level 
only those judgments that cannot be adequately encoded inductively and leave the rest at the 
Isabelle/HOL level. We claim that this framework with or without this variation has several 
advantages: 

- The system is more trustworthy: freeness of constructors and, more importantly, exten- 
sionality properties at higher-order types are not assumed, but proved via the related 
properties of the infrastructure, as we show in Section 3 (MC-Theorem 9). 

- The mixing of meta-level and specification-level judgments makes proofs more eas- 
ily mechanizable; more generally, there is a fruitful interaction between (co)-induction 
principles, meta-logic datatypes, classical reasoning, and hypothetical judgments, which 
lends itself to a good deal of automation. 

- We are not committed to a single monolithic SL, but we may adopt different ones (linear, 
relevant, bunched, etc.) according to the properties of the OL we are encoding. The 
only requirement is consistency, to be established with a formalized cut-elimination 
argument. We exemplify this methodology using non-commutative linear logic to reason 
about continuation machines (Section 5). 

Our architecture could also be seen as an approximation of Twelf [104], but it has a 
much lower mathematical overhead, simply consisting of a small set of theories (modules) 



^ We also compare it with a constructive version implemented in Coq [18], which we describe in Sec- 
tion 6.5. 
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on top of a proof assistant. In a sense, we could look at Hybrid as a way to "represent" 
Twelf 's meta-proofs in the well-understood setting of higher-order logic as implemented in 
Isabelle/HOL (or the calculus of (co)inductive constructions as implemented in Coq). Note 
that by using a well-understood logic and system, and working in a purely definitional way, 
we avoid the need to justify consistency by syntactic or semantic means. For example, we 
do not need to show a cut-elimination theorem for a new logic as in [43], nor prove results 
such as strong normalization of calculi of the family [103] or about the correctness of 
the totality checker behind Twelf [106]. Hence our proofs are easier to trust, as far as one 
trusts Isabelle/HOL and Coq. 

Additionally, we can view our realization of the two-level approach as a way of "fast 
prototyping" HOAS logical frameworks. We can quickly implement and experiment with a 
potentially interesting SL; in particular we can do meta-reasoning in the style of tactical the- 
orem proving in a way compatible with induction. For example, as we will see in Section 5, 
when experimenting with a different logic, such as a sub-structural one, we do not need to 
develop all the building blocks of a usable new framework, such as unification algorithms, 
type inference or proof search, but we can rely on the ones provided by the proof assistant. 
The price to pay is, again, the additional layer where we explicitly reference provability, 
requiring a sort of meta-interpreter (the SL logic) to drive it. This indirectness can be allevi- 
ated, as we shall see, by defining appropriate tactics, but this is intrinsic to the design choice 
of relying on a general ambient logic (here Isabelle/HOL or Coq, in [69, 109] some variation 
of Line). This contrasts with the architecture proposed in [67], where the meta-meta-logic is 
itself sub-structural (linear in this case) and, as such, explicitly tailored to the automation of 
a specific framework. 

We demonstrate the methodology by first formally verifying the subject reduction prop- 
erty for the standard simply-typed call-by-value A -calculus, enriched with a recursion op- 
erator. While this property (and the calculus as well) has been criticized as too trivial to be 
meaningful [6] — and, to a degree, we agree with that — we feel that the familiarity of the set- 
up will ease the understanding of the several layers of our architecture. Secondly we tackle a 
more complex form of subject reduction, that of a continuation machine, whose operational 
semantics is encoded sub-structurally, namely in non-commutative linear logic. 

Outline The paper is organized as follows: Section 2 recalls some basic notions of Hybrid 
and its implementation in Isabelle/HOL and Coq. Section 3 shows how it can be used as a 
logical framework. In Section 4 we introduce a two-level architecture and present the first 
example SL and subject reduction proof, while Section 5 introduces a sub-structural SL and 
uses it for encoding continuation machines. We follow that up with an extensive review and 
comparison of related work in Section 6, and conclude in Section 7. This paper is an archival 
documentation of Hybrid 0.1 (see Section 6.5 for the terminology), extending previous joint 
work with Simon Ambler and Roy Crole [2, 3, 77-79], Jeff Polakow [81] and Venanzio 
Capretta [18]. 

Notation 1 (Isabelle/HOL) We use a pretty-printed version of Isabelle/HOL concrete syn- 
tax. A type declaration has the form s ::[t\,...t„]^t. We stick to the usual logical symbols 
for Isabelle/HOL connectives and quantifiers (^, A, V, — >, V, 3). Free variables (upper- 
case) are implicitly universally quantified (from the outside) as in logic programming. The 
sign = (Isabelle meta-equality) is used for equality by definition, and f\ for Isabelle uni- 
versal meta-quantification. A rule (a sequent) of the schematic form: 

H\ . . .H„ 



C 
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is represented as [[ //i ; . . . ]] ==> C. A rule with discharged assumptions such as con- 
junction eUmination is represented as [[PA Q; [[ P; Q ]] ==> R ]] ==> R. The keyword MC- 
Theorem (Lemma) denotes a machine-checked theorem (lemma), while Inductive intro- 
duces an inductive relation in Isabelle/HOL, and datatype introduces a new datatype. We 
freely use infix notations, without explicit declarations. We have tried to use the same nota- 
tion for mathematical and formalized judgments. The proof scripts underlying this paper are 
written in the so-called "Isabelle old style", i.e., they are exclusively in the tactical-style, e.g., 
sequences of commands. This was still fashionable and supported by Isabelle/HOL 2005, as 
opposed to the now required ISAR [58] idioms of the new Isabelle/HOL versions. However, 
in the interest of time, intellectual honesty (and also consistency with Coq), we have decided 
to base the paper on the original code of the project, which had as a fundamental goal the 
automation of two-level reasoning. Naturally, some of the comments that we make about 
concrete features of the system, (as well as interactions with it) are by now relevant only to 
that version. When those happen to be obsolete, we will try to make this clear to the reader. 
We expect, however (and indeed we already are in the process, see Section 6.5) to carry over 
this work to the current version of Isabelle/HOL, possibly enhanced by the new features of 
the system. 

Notation 2 (Coq) We keep Coq's notation similar to Isabelle/HOL's where possible. We 
use the same syntax for type declarations, though of course the allowable types are different 
in the two languages. We also use = for equality by definition and = for equality. There 
is no distinction between a functional type arrow and logical implication in Coq, though 
we use both and =^ depending on the context. In Isabelle/HOL, there is a distinction 
between notation at the Isabelle meta-level and the HOL object-level, which we do not have 
in Coq. Whenever an Isabelle/HOL formula has the form \ H\;...;H,-i ]] =^ C, and we say 
that the Coq version is the same, we mean that the Coq version has the form Hi ==> ■ ■ ■ 
Hn C, or equivalently H\ ^ ■ ■ ■ ^ Hn ^ C, where implication is right-associative as 
usual. 

Source files for the Isabelle/HOL and Coq code can be found at hybrid.dsi.unimi.it/ 
jar [57]. 

2 Introducing Hybrid 

The description of the Hybrid layer of our architecture is taken fairly directly from previous 
work, viz. [3]. Central to our approach is the introduction of a binding operator that (1) al- 
lows a direct expression of A -abstraction, and (2) is defined in such a way that expanding its 
definition results in the conversion of a term to its de Bruijn representation. The basic idea 
is inspired by the work of Gordon [47], and also appears in collaborative work with Mel- 
ham [48]. Gordon introduces a A -calculus with constants where free and bound variables are 
named by strings; in particular, in a term of the form (dLAMvr), v is a string representing 
a variable bound in t, and dLAM is a function of two arguments, which when applied, con- 
verts free occurrences of v in f to the appropriate de Bruijn indices and includes an outer de 
Bruijn abstraction operator. Not only does this approach provide a good mechanism through 
which one may work with named bound variables under a-renaming, but it can be used 
as a meta-logic by building it into an Isabelle/HOL type, say of proper terms, from which 
other binding signatures can be defined, as exemplified by Gillard's encoding of the object 
calculus [45]. As in the logical framework tradition, every OL binding operator is reduced 
to the A -abstraction provided by the type of proper terms. 
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Our approach takes this a step further and exploits the buik in HOAS which is available 
in systems such as Isabelle/HOL and Coq. Hybrid's LAM constructor is similar to Gordon's 
dLAM except that LAM is a binding operator. The syntax (LAM v.f) is actually notation for 
(lambda Xv.t), which makes explicit the use of bound variables in the meta-language to 
represent bound variables in the OL. Thus the v in (LAM\'.f) is a meta-variable (and not a 
string as in Gordon's approach). 

At the base level, we start with an inductive definition of de Bruijn expressions, as 
Gordon does. 

datatype expr = CON con \ VAR var \ BND bnd \ expr $ expr \ ABS expr 

In our setting, bnd and var are defined to be the natural numbers, and con provides names for 
constants. The latter type is used to represent the constants of an OL, as each OL introduces 
its own set of constants. 

To illustrate the central ideas, we start with the A-calculus as an OL. To avoid confusion 
with the meta-language (i.e., A -abstraction at the level of Isabelle/HOL or Coq), we use 
upper case letters for variables and a capital A for abstraction. For example, consider the 
object-level term Tq = AVi.{AV2.ViV2)ViV2. The terms 7c and Th below illustrate how this 
term is represented using Gordon's approach and Hybrid, respectively. 

Tg = dLAM vl (dAPP (dAPP (dLAM v2 (dAPP (dVAR vl) 

(dVARv2))) (dVARvl)) (dVARvS)) 
Th = LAM VI. (((LAM V2.(vi $ V2)) $ vi) $ VAR 3) 

In Hybrid we also choose to denote object-level free variables by terms of the form (VAR /), 
though this is not essential. In either case, the abstraction operator (dLAM or LAM) is de- 
fined, and expanding definitions in both Tq and Th results in the same term, shown below 
using our de Bruijn notation. 

ABS (((ABS ( BND 1 $ BND 0)) $ BNDO) $ VAR 3) 

In the above term all the variable occurrences bound by the first ABS, which corresponds 
to the bound variable V\ in the object-level term, are underlined. The lambda operator is 
central to this approach and its definition includes determining correct indices. We return to 
its definition in Section 2.1. 

In summary. Hybrid provides a form of HOAS where object-level: 

- free variables correspond to Hybrid expressions of the form (VAR ;'); 

- bound variables correspond to (bound) meta- variables; 

- abstractions A V. i? correspond to expressions (LAM v. e), defined as (lambda A v. e); 

- applications E\ E2 correspond to expressions (ei $ 62). 



2. 1 Definition of Hybrid in Isabelle/HOL 

Hybrid consists of a small number of Isabelle/HOL theories (actually two, for a total of about 
130 lines of definitions and 80 lemmas and theorems), which introduce the basic definition 
for de Bruijn expressions (expr) given above and provide operations and lemmas on them, 
building up to those that hide the details of de Bruijn syntax and permit reasoning on HOAS 
representations of OLs. In this section we outline the remaining definitions, and give some 
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examples. Note that our Isabelle/HOL theories do not contain any axioms which require 
external justification,"* as in some other approaches such as the Theory of Contexts [55]. 

As mentioned, the operator lambda : : [expr => expr] expr is central to our approach, 
and we begin by considering what is required to fill in its definition. Clearly (lambda e) must 
expand to a term with ABS at the head. Furthermore, we must define a function / such that 
(lambda e) is (ABS (/ e)) where / replaces occurrences of the bound variable in e with de 
Bruijn index 0, taking care to increment the index as it descends through inner abstractions. 
In particular, we will define a function Ibind of two arguments such that formally: 

lambda e = ABS (Ibind e) 

and (Ibind / e) replaces occurrences of the bound variable in e with de Bruijn index i, where 
recursive calls on inner abstractions will increase the index. As an example, consider the 
function /I v. ABS (BNDO$v). In this case, application of Ibind with argument index 
should result in a level 1 expression: 

Ibind (A V. ABS (BNDO$ v)) = ... = ABS (BNDOS BND 1) 

and thus: 

lambda (A v. ABS (BND $ v)) = ABS (ABS (BNDOS BND 1)). 

We define Ibind as a total function operating on all functions of type {expr expr), even 
exotic ones that do not encode A-terms. For example, we could have e = (Ax. count x) where 
(count x) counts the total number of variables and constants occurring in x. Only functions 
that behave uniformly or parametrically on their arguments represent A -terms. We refer the 
reader to the careful analysis of this phenomenon (in the context of Coq) given in [32] and 
to Section 6 for more background. We will return to this idea shortly and discuss how to 
rule out non-uniform functions in our setting. For now, we define Ibind so that it maps non- 
uniform subterms to a default value. The subterms we aim to rule out are those that do not 
satisfy the predicate ordinary : : [expr => expr] boot, defined as follows:^ 

ordinary e = {3a. e = {X v. CON a) V 
e= (Av.v) V 
3«. e= (Av.VARn)V 
3/ e = (Av.BND y) V 
3/g.e=(Av./v$gv)V 
3/.e = (Av.ABS (/v))) 

We do not define Ibind directly, but instead define a relation 
\bnd ::[bnd, expr ^ expr, expr] ^ bool and prove that this relation defines a function 
mapping the first two arguments to the third. 



We will keep emphasizing this point: the package is a definitional extension of Isabelle/HOL and could 
be brought back to HOL primitives, if one so wishes. 

^ This definition is one of the points where the Isabelle/HOL and Coq implementations of Hybrid diverge. 
See Section 2.2. 
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Inductive Ibnd : : [bnd,expr expr,expr] bool 
=^ Ibnd i (A V. CON a) (CON a) 
=^ lbnd!(Av.v) (BND/) 
=^ lbndi(Av.VAR7t) (VARn) 
==^ lbnd!(Av.BND 7) (BND y) 
[[ Ibnd (/j; Ibnd igf]] => Ibnd i (A v./v $ gv) 

Ibnd => lbndi(Av.ABS (/v)) (ABS i) 

-.(ordinary e) ^ Ibnd / e (BND 0) 



In showing that this relation is a function, uniqueness is an easy structural induction. Exis- 
tence is proved using the following abstraction induction principle. 

MC-Theorem 1 (abstraction Jnduct) 



[[/\a.P{?i V. CON a);P (A v. v); A". (A v. VAR «); Aj. (A v. BND j); 
Afg. [[P/;Pg]]=^P(Av./v$gv); 
A/. ['P/E^'P (A v.ABS (/v)); 
A/, [[-ordinary/]] ^P/]]^Pe 



The proof of this induction principle is by measure induction {/\x. [[ \/y. ^ f y < f x — > 
P y ]] P jc ]] P a), where we instantiate / with ra n k and set ra n k e = size (e ( VAR 0) ) . 

We now define Ibind : : [bnd, expr =^ expr] expr as follows, thus completing the defi- 
nition of lambda: 



where THE is Isabelle's notation for the definite description operator i. From these defini- 
tions, it is easy to prove a "rewrite rule" for every de Bruijn constructor. For example, the 
rule for ABS is: 

MC-Lemma2 (lbind_ABS) 



These rules are collected under the name lbind_simps, and thus can be used directly in sim- 
plification. 

Ruling out non-uniform functions, which was mentioned before, will turn out to be im- 
portant for a variety of reasons. For example, it is necessary for proving that our encoding 
adequately represents the A -calculus. To prove adequacy, we identify a subset of the terms 
of type expr such that there is a bijection between this subset and the A -terms that we are 
encoding. There are two aspects we must consider in defining a predicate to identify this 
subset. First, recall that (BND () corresponds to a bound variable in the A -calculus, and 
(VAR to a free variable; we refer to bound and free indices respectively. We call a bound 
index / dangling if or less ABS labels occur between the index and the root of the expres- 
sion tree. We must rule out terms with dangling indices. Second, in the presence of the LAM 
constructor, we may have functions of type [expr ^ expr) that do not behave uniformly on 
their arguments. We must rule out such functions. We define a predicate proper, which rules 
out dangling indices from terms of type expr, and a predicate abstr, which rules out dangling 
indices and exotic terms in functions of type {expr ^ expr). 



Ibind i e = THEs. Ibnd i e s 



Ibind i (Av.ABS (ev)) = ABS (Ibind {i+\) e) 
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To define proper we first define level. Expression e is said to be at level / > 0, if enclosing 
e inside / ABS nodes ensures that the resulting expression has no dangling indices. 

Inductive level : : \bnd,expr\ =^ bool 

=^ level! (CON fl) 

=^ level i(VAR«) 

i <i=^ level! (BND j) 

[[ level is\ level it ]] level i [s $ t) 

level (i + 1) i =4> level/ (ABS i) 

Then, proper : : expr =^ bool is defined simply as: 

proper e = level Oe. 

To define abstr, we first define abst : : [bnd,expr =^ expr] bool as follows: 

Inductive abst : : [bnd,expr => expr] => bool 
==> abst i (A v.CON a) 
=> abst i (Av. v) 
=^ abst J (Av.VAR«) 
j <i =^ abst i (A V. BND j) 
[[ abst i /; abst / g ]] => abst i {Xv. f v $ gv) 
abst (;■+ 1) / ==4> abst ; (A v. ABS (/v)) 

Given abstr : : [expr expr] bool, we set: 

abstr e = abst e. 

When an expression e of type expr expr satisfies this predicate, we say it is an abstrac- 
tion.^ In addition to being important for adequacy, the notion of an abstraction is central to 
the formulation of induction principles at the meta-level.^ 

It's easy to prove the analogue of abst introduction rules in terms of abstr, for example: 

abst 1 / ^ abstr (A v. ABS (/ v)) 

A simple, yet important lemma is: 

MC-Lemma3 (proper_abst) 

proper f ==> abstr (Xv.t) 

So any function is a legal abstraction if its body is a proper expression. This strongly suggests 
that were we to turn the predicate proper into a type prpr, then any function with source type 
prpr =4> prpr would be de facto a legal abstraction** . 

It follows directly from the inductive definition of de Bruijn expressions that the func- 
tions CON, VAR, $, and ABS are injective, with disjoint images. With the introduction of 
abstr, we can now also prove the following fundamental theorem: 

* This is akin to the valid and validl predicates present in weak HOAS formahzations such as [32] 
(discussed further in Section 6.4), although this formalization has, in our notation, the "weaker" type 
{ var expr) hool. 

' And so much more for the puipose of this paper: it allows inversion on inductive second-order predicates, 
simphfication in presence of higher-order functions, and, roughly said, it ensures the consistency of those 
relations with the ambient logic. 

This is indeed the case as we have shown in [80] and briefly comment on at the end of Section 6. 
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MC-Theorem 4 (abstrJamjimp) 

[[abstre; abstr / ]] (LAMA:.ex= LAMy./y) = (e = /) 



which says that lambda is injective on the set of abstractions. This follows directly from an 
analogous property of Ibind: 

MC-Lemma 5 (abstJbind jimp Jemma) 

[[ abst ( e; abst /' / ]] ==> (Ibind e = Ibind /) = (e = /) 

This is proved by structural induction on the abst predicate using simplification with 
lbind_simps. 

Finally, it is possible to perform induction over the quasi-datatype of proper terms. 
MC-Theorem 6 (proper _VARJnduct) 

[[ proper u; 
/\a. P {CON a); 
/\n. P {VAR n); 

/\s t. [[ proper s; proper t,P t ]] ==> P $ t)\ 

Ae. [[abstre;VH. P (e (VARn))]] =^P {LkMx.ex) ]] =l> P u 

The proof is by induction on the size of e, and follows from the following two lemmas. 
MC-Lemma 7 

1. level (/ + 1) e 3/. (Ibind i / = e) A abst i f (levelJbind^bst) 

2. proper (ABS e) 3/. {LAMx.f x = ABS e) A abstr / (proper_lambda_abstr) 

MC-Lemma 8 (abstr _sizeJbind) 

abstr e =^ size (Ibind / e) = size (e (VAR «)) 

Note that MC-Theorem 6 does not play any active role in the two-level architecture, as 
induction will be performed on the derivability of judgments. 



2.2 Remarks on Hybrid in Coq 

In this section we comment briefly on the differences between the Isabelle/HOL and Coq 
implementations of Hybrid, which arise mainly from the differences in the meta-languages. 
Isabelle/HOL implements a polymorphic version of Church's higher-order (classical) logic 
plus facilities for axiomatic classes and local reasoning in the form of locales [8]. Coq imple- 
ments a constructive higher-order type theory, but includes libraries for reasoning classically, 
which we used in order to keep the implementations as similar as possible. 

Note that the definition of Ibind uses Isabelle/HOL's definite description operator, which 
is not available in Coq. The use of this operator is the main reason for the differences in 
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the two libraries. In Coq, we instead use the description axiom available in Coq's classical 
libraries:^ 

VA S : : Type. \/R : : [A,B] => Prop. 
(Vx. 3y. {RxyAyy.Rxy' =^y = y'))=^3f.'ix.Rx{f x) 

with Ibnd as relation R. The Coq version of Hybrid is larger than the Isabelle/HOL version, 
mainly due to showing uniqueness for the Ibnd relation. We then eliminate the existential 
quantifier in the description theorem to get a function that serves as the Coq version of 
Ibind.i" 

In more detail, if we consider the Isabelle/HOL theory just described, the operations and 
predicates ordinary, Ibnd, level, proper, abst, and abstr are defined nearly the same as in the 
Isabelle/HOL version. For predicates such as level, we have a choice that we did not have 
in Isabelle/HOL . In Coq, Prop is the type of logical propositions, whereas Set is the type 
of datatypes. Prop and Set allow us to distinguish logical aspects from computational ones 
w.r.t. our libraries. The datatype bool for example, distinct from Prop, is defined inductively 
in the Coq standard library as a member of Set. One option in defining level is to define it 
as a function with target type bool, which evaluates via conversion to true or false. The 
other is to define it as an inductive predicate (in Prop), and then we will need to provide 
proofs of level subgoals instead of reducing them to true. We chose the latter option, using 
Prop in the definition of level and all other predicates. This allowed us to define inductive 
predicates in Coq that have the same structure as the Isabelle/HOL definitions, keeping the 
two versions as close as possible. For our purposes, however, the other option should have 
worked equally well. 

For predicates ordinary, Ibnd, abst, and abstr, which each have an argument of func- 
tional type, there is one further difference in the Coq definitions. Equality in Isabelle/HOL 
is extensional, while in Coq, it is not. Thus, it was necessary to define extensional equality 
on type {expr expr) explicitly and use that equality whenever it is expressed on this type, 
viz. 

=ext '■ '■ [expr expr, expr =^ expr] =^ Prop 

Formally, (/ =„r g) = \/x.{fx = gx). For example, this new equality appears in the def- 
inition of abst. In the Coq version, we first define an auxiliary predicate abst_aux defined 
exactly as abst in Isabelle/HOL, and then define abst as: 

abst i e = 3e' . e' =„, e A abst_aux / e' . 

The predicate abstr has the same definition as in Isabelle/HOL, via this new version of abst. 
The definition of Ibnd parallels the one for abst, in this case using lbnd_aux. For the ordinary 
predicate, we obtain the Coq version from the Isabelle/HOL definition simply by replacing 
= with . 

The proof that Ibnd is a total relation is by induction on rank and the induction case uses 
a proof by cases on whether or not a term of type [expr => expr) is ordinary. Note that the 
ordinary property is not decidable, and thus this proof requires classical reasoning, which is 
a second reason for using Coq's classical libraries. 

' In the Coq libraries, a dependent-type version of this axiom is stated, from which the version here follows 
directly. 

Although this elimination is not always justified, it is in our case since we define the type expr to be a 
Coq Set. 
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Coq provides a module which helps to automate proofs using user-defined equalities that 
are declared as setoids. A setoid is a pair consisting of a type and an equivalence relation on 
that type. To use this module, we first show that is reflexive, symmetric, and transitive. 
We then declare certain predicates as morphisms. A morphism is a predicate in which it 
is allowable to replace an argument by one that is equivalent according to the user-defined 
equality. Such replacement is possible as long as the corresponding compatibility lemma is 
proved. For example, we declare ordinary, Ibnd, abst, and abstr as morphisms. In particular, 
the lemma for Ibnd proves that if (Ibnd iet), then for all terms e' that are extensionally 
equal to e, we also have (Ibnd i e' t). Setoid rewriting then allows us to replace the second 
argument of Ibnd by extensionally equal terms, and is especially useful in the proof that 
every e is related to a unique t by Ibnd. 

As stated above, we obtain I bind by eliminating the existential quantifier in the descrip- 
tion theorem. Once we have this function, we can define lambda as in Isabelle/HOL and 
prove the Coq version of the abstr Jam^imp theorem (MC-Theorem 4): 

abstr e =4> abstr/ =4> [{LkMx.ex= LAMy./y) i — J- (e =ext /)] 

Note the use of logical equivalence {< — >) between elements of Prop. Extensional equality 
is used between elements of type {expr =^ expr) and Coq equality is used between other 
terms whose types are in Set. Similarly, extensional equality replaces equality in other the- 
orems involving expressions of type [expr expr). For example abstraction Jndiict (MC- 
Theorem 1) is stated as follows: 

[[ Ve a. [[ e =„, (A v. CON a) ]] =4> P e; 
Ve[[e=„-, (Av.v)]]^Pe; 
Ve n. [[ e =„, (A v. VAR n) ]] =^ P e; 
Vej. [[e=,«(Av.BNDj)]]=^Pe; 
Ve/g. [[e=„, (Av./v$gv);P/;Pg]]^Pe; 
Ve/. [[e=..,, (Av.ABS (/v));P / ]] => P e; 
Ve. [[ -'Ordinary e ]] =^ -P ^ ]] =^ P e 



3 Hybrid as a Logical Framework 

In this section we show how to use Hybrid as a logical framework, first by introducing 
our first OL (Section 3.1) and discussing the adequacy of the encoding of its syntax (Sec- 
tion 3.2). Representation and adequacy of syntax are aspects of encoding OLs that are inde- 
pendent of the two-level architecture. We then show that some object-level judgments can 
be represented directly as inductive definitions (Section 3.3). We also discuss the limitations 
of encoding OL judgments in this way, motivating the need for the two-level architecture of 
Section 4. 

The system at this level provides: 

- A suite of theorems: roughly three or four dozens propositions, most of which are only 
intermediate lemmas leading to the few that are relevant to our present purpose: namely, 
injectivity and distinctness properties of Hybrid constants. 

- Definitions proper and abstr, which are important for Hybrid's adequate representation 
of OLs. 

- A very small number of automatic tactics: for example proper_tac (resp. abstr_tac) au- 
tomatically recognizes whether a given term is indeed proper (resp. an abstraction). 
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We report here the (slightly simplified) code for abstr_tac, to give an idea of how 
lightweight such tactics are: 

fun abstr_tac defs = 

simp_tac (simpsetO 

addsimps defs @ [abstr_def , lambda_def ] ® lbind_simps) 

THEN' 

f ast_tac(claset 

addDs [abst_level_lbind] 

addls abstSet . intrs 

addEs [abstr_abst , proper_abst] ) ; 

First the goal is simplified (simp_tac) using the definition of abstr, lambda, other user- 
provided lemmas (defs), and more importantly the Ibind "rewrite rules" (lbind_simps). 
At this point, it is merely a question of resolution with the introduction rules for abst 
(abstSet . intrs) and a few key lemmas, such as MC-Lemma 3, possibly as elimination 
rules. In Isabelle/HOL 2005, a tactic, even a user defined one, could also be "packaged" into 
a solver. In this way, it can be combined with the other automatic tools, such as the simplifier 
or user defined tactics, viz. 2lprolog_tac. (See Section 4.3.) 



3.1 Coding the Syntax of an OL in Hybrid 

The OL we consider here is a fragment of a pure functional language known as Mini-ML. As 
mentioned, we concentrate on a A -calculus augmented with a fixed point operator, although 
this OL could be easily generalized as in [91]. This fragment is sufficient to illustrate the 
main ideas without cluttering the presentation with too many details. 
The types and terms of the source language are given respectively by: 

Types T ::= ! I T — )• t' 

Terms e ::= x\ tunx. e \ e • e' \ flxx. e 

We begin by showing how to represent the syntax in HOAS format using Hybrid. Since 
types for this language have no bindings, they are represented with a standard datatype, 
named tp and defined in the obvious way; more interestingly, as far as terms are concerned, 
we need constants for abstraction, application and fixed point, say cABS, cAPP, and cFIX. 
Recall that in the meta-language, application is denoted by infix $, and abstraction by LAM. 

The above grammar is coded in Hybrid verbatim, provided that we declare these con- 
stants to belong to the enumerated datatype con 

datatype con = cABS \ cAPP \ cFIX 

add the type abbreviation 



uexp = con expr 



and the following definitions: 



@ :: [uexp , uexp] =^ uexp 
fun : : [uexp =^ uexp] iiexp 
fix : : [uexp =^ uexp] uexp 
El @ E2 = CON cAPP $Ei$E2 
funx.Ex = CON cABS$ LAM X. E X 
fixx.Ex = CONcFIXSLAMx.Ex 



15 



where fun (resp. fix) is indeed an Isabelle/HOL binder, e.g., {fix.x.E x) is a syntax translation 
for (fix(Ax. Ex)). For example, {f'\xx .funy.x @ y) abbreviates: 

(CON cFIX S (LAM CON cABS S {LAMy. (CON cAPP $x$ y)))) 

Note again that the above are only definitions and by themselves would not inherit any of 
the properties of the constructors of a datatype. However, thanks to the thin infra-structural 
layer that we have interposed between the A -calculus natively offered by Isabelle and the 
rich logical structure provided by the axioms of Isabelle/HOL, it is now possible to prove the 
freeness properties of those definitions as if they were the constructors of what Isabelle/HOL 
would ordinarily consider an "impossible" datatype as discussed earlier. More formally: 

MC-Theorem 9 ("Freeness" properties of constructors) Consider the constructors^^ 
fun, fix, @: 

- The constructors have distinct images. For example: 

funx.Ex=^ {El @ E2) (FA.clash) 

- Every non binding constructor is injective. 

- Every binding constructor is injective on abstractions. For example: 

[[abstrf; abstrf']] ==4> {V\x x .E x = V\x x .E' x) = {E = E') 

Proof By a call to Isabelle/HOL's standard simplification, augmented with the left-to-right 
direction of the crucial property abstrJam^imp (MC-Theorem 4). □ 

This result will hold for any signature containing at most second-order constructors, 
provided they are encoded as we have exhibited. These "quasi-freeness" properties — 
meaning freeness conditionally on whether the function in a binding construct is indeed 
an abstraction — are added to Isabelle/HOL's standard simplifier, so that they will be auto- 
matically applied in all reasoning contexts that concern the constructors. In particular, clash 
theorems are best encoded in the guise of elimination rules, already incorporating the "ex 
falso quodlibet" theorem. For example, FA^clash of MC-Theorem 9 is equivalent to: 

I'sunx.E x={Ei @E2)'i=^P 
3.2 Adequacy of the Encoding 

It is a customary proof obligation (at least) w.r.t. higher-order encoding to show that the 
syntax (and later the judgments) of an OL such as Mini-ML are adequately represented in 
the framework. While this is quite well-understood in a framework such as LF, the "atypi- 
cal" nature of Hybrid requires a discussion and some additional work. We take for granted 
(as suggested in [3], then painstakingly detailed in [28]) that Hybrid provides an adequate 
representation of the A -calculus. Yet, it would not be possible to provide a "complete" proof 
of the adequacy of Hybrid as a theory running on a complex tool such as Isabelle/HOL. 
Here we take a more narrow approach, by working with a convenient fiction, i.e., a model of 
Hybrid as a simply-typed A -calculus presented as a logical framework. This includes: 



By abuse of language, we call constructors what are more precisely Isabelle/HOL constant definitions. 
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- a "first-order" A -calculus (i.e., where bool can only occur as the target of a legal arrow 
type) as our term language; 

- introduction and elimination rules for atoms generated by their inductive definition; 

- simplification on the Hybrid level and modulo other decidable theories such as linear 
arithmetic. 

We can use this as our framework to represent OLs; further this model is what we consider 
when we state meta-theoretical properties of OL encodings and prove them adequate. 

We follow quite closely Pfenning's account in the Handbook of Automated Reason- 
ing [90]. By adequacy of a language representation we mean that there is an encoding func- 
tion er(-) from OL terms with free variables in F to the canonical forms of the framework 
in an appropriate signature, as well as its inverse 5r{-) such that: 

1. validity: for every mathematical object t with free variables in F, er(0 is a canonical 
(and thus unique, modulo a-conversion) representation in the framework. Note that we 
use F both for the Hybrid and the OL's variables context; 

2. completeness: for every canonical term E over F, 5r{E), results in a unique OL term t; 
furthermore er{Sr{E)) = E and 5r(er(0) = ^■ 

3. compositionality: the bijection induced by e.( ) and ) commutes with substitution; 
formally er{[ti/x]t2) = [er(?i)A] Sriti) and 5r{[Ei/x]E2) = [5r(£i)/x] 5r{E2). 

Clearly the first requirement seems easier to satisfy, while the second one tends to be more 
problematic.'^ In general, there could be two main obstacles when representing an OL's 
signature with some form of HOAS in a logical framework, both related to the existence of 
"undesirable" canonical terms in the framework, i.e., honest-to-goodness terms that are not 
in the image of the desired encoding: 

L If the framework is uni-typed, we need predicates to express the well-formedness of 
the encoding of expressions of the OL. Such well-formedness properties must now be 
proved, differently from settings such as LF, where such properties are handled by type- 
checking. In particular, Hybrid constants are not part of a datatype, so they do not enjoy 
the usual closure condition. Moreover there are proper Hybrid terms such as LAM. v. x $ 
(VAR 0) that are not in the image of the encoding, but are still canonical forms of type 
expr. 

2. If the framework is strong enough, in particular if its type system supports at least 
a primitive recursive function space, exotic terms do arise, as discussed earlier, i.e., 
terms containing irreducible functions that are not parametric on their arguments, e.g., 
fix j:. fun y. if x = y then x else y. 

As far as the second issue is concerned, we use abstr annotations to get rid of such "non- 
parametric" functions. As mentioned by [90] and is standard practice in concrete approaches 
{e.g., the vclosed and term predicate in the "locally named/nameless" representation of 
[5,70]), we introduce well-formedness predicates (as inductive definitions in Isabelle/HOL) 
to represent OL types. 

Incidentally, some first-order encodings, which are traditionally assumed not to be troublesome, may 
fail to satisfy the second requirement in the most spectacular way. Case in point are encodings typical of the 
Boyer-Moore theorem prover, e.g., case studies concerning the properties of the Java Virtual Machine [63]. 
Since the framework's language consists of S-expressions, a decoding function does not really exist: in fact, 
it is only informally understood how to connect a list of pairs of S-exp to an informal function in, say, the 
operational semantics of the JVM. assuming that the code maintains the invariants of association lists. Within 
Hybrid we can do much better, although we will fall somewhat short of LP's standards. 
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To make clear the correspondence between the OL and its encoding, we re-formulate 
the BNF grammar for Mini-ML terms as a well-formedness judgment: 

Fhri rhr2 r,xhf r,jchf 



r,x\-x r h fi • f2 r\~tanx.t Fhflxx. f 

Based on this formulation, the definition of encoding of a Mini-ML term into Hybrid and 
its decoding is unsurprising [91]. Notation- wise, we overload the comma so that F.x means 
r U {x}; we also use F for both the context of OL variables and of Hybrid variables of type 
uexp: 

£rAx) = X er{h • ti) = er{h) @ £r{ti) 

er(fun;c.?) = funx. er,x(?) er(flx.ic.?) = fixx.er,.v(r) 

8r.,{x) =x 5r{Ei@E2) = 5r(£i) • SriEi) 

5r{funx.E) = funx. 5r,x{E) 5r(fixx.Zi) = fixx.5r.x{E) 

We then introduce an inductive predicate _ ||= isterm _ of type [uexp set, uexp] bool, 
which addresses at the same time the two aforementioned issues. It identifies the subset of 
uexp that corresponds to the open terms of Mini-ML over a set of (free) variables. 

Inductive _ 1 1= isterm _ : : [uexp set, uexp] bool 

[[ X 6 F ]] F 1 1= isterm (x) 

[[ F I ^ isterm Ei; F \ \= isterm E2 ]] =^ F | \= isterm (£1 @ E2) 

U Vx. properx — V F.x 1 1= isterm (E x); abstr E ]] F | ^ isterm (funx.Zi x) 

[[ Vx. proper x — V F.x 1 1= isterm (E x); abstr E ]] F | ^ isterm (fix x.ii x) 

We can now proceed to show the validity of the encoding in the sense that F h f entails 
that F 11= isterm £r{t) is provable in Isabelle/HOL. However, there is an additional issue: 
the obvious inductive proof requires, in the binding case, the derivability of the following 
fact: 

abstr(Ax. er,A-(?)) (1) 
A proof by induction on the structure of t relies on 

abstr(Ax. LAIVIy. er,x.v(?)) 

This holds once Xxy. er..v,v(0 ^ hiahstraction, namely: 

biAbstr(Axy. E xy) ==4> abstr(Ax. LAIVI y. E xy) 

Biabstractions are the generalization of abstractions to functions of type {expr => expr =^ 
expr) => expr. The inductive definition of this notion simply replays that of abst and we skip 
it for the sake of space. We note however that the above theorem follows by structural in- 
duction using only introduction and elimination rules for abst. We therefore consider proven 
the above fact (1). 

If F = {xi,...,x„}, we write (proper F) to denote the Isabelle/HOL context 
[[ proper xi ; . . . ; proper x„ ]] . 

Lemma 10 (Validity of Representation) IfFht, then (proper F =4> F ||= isterm er(0) 
is provable in Isabelle/HOL. 



Proof By the standard induction on the derivation of F h f, using fact (1) in the binding 
cases. □ 
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As far as the converse of Lemma 10 goes, we need an additional consideration. As op- 
posed to intentionally weak frameworks [31], Isabelle/HOL has considerable expressive 
power; various features of the underlying logic, such as classical reasoning and the axiom 
of choice, can be used to construct proofs about an OL that do not correspond to the infor- 
mal constructive proofs we aim to formalize. We therefore need to restrict ourselves to a 
second-order intuitionistic logic. The issue here is guaranteeing that inverting on hypotheti- 
cal judgments respects the operational interpretation of the latter, i.e., the deduction theorem, 
rather than viewing them as classical tautologies. We call such a derivation minimal. Since 
Isabelle/HOL does have proof terms [12], this notion is in principle checkable.'-' 

Lemma 11 (Completeness of Representation) LetF be the set {x\ : uexp, ...,x„ : uexp}; 
if {proper r ==> F ||= isterm E) has a minimal derivation in Isabelle/HOL, then 5r{E) is 
defined andyields a Mini-ML expression t such thatV h t and £p{dr{E)) = E. Furthermore, 



Proof The main statement goes by induction on the minimal derivation of proper F ==^ 
F 1^ isterm E; we sketch one case: assume proper F =^ F |^ isterm (fix A .ii x); by inver- 
sion, r.x 11= isterm (Ex) holds for a parameter x under the assumption proper {r,x). By 
definition 5r {fix^ x . {E x)) =fixx.5r,x{E x). By the LH. the term 5r.x{E x) is defined and 
there is a ? s.t. t = 5r.x{E x) and F.x h t. By the BNF rule for fix, F h fix;c.? and again by 
the LH. and definition, er(5r(fix x.Z? x)) = fixx.ii x. Finally, 5r(er(f)) = ' follows by a 
straightforward induction on f . □ 

Lemma 12 (Compositionality) 

1. £rilh/x\t2) — [er(fi)/jc] £r{t2), where x may occur in F. 

2. If5r{E\) and 5r(£'2) cire defined, then 5r{[E\/x]E2) = [5r{Ei)/x] SriEo). 

Proof The first result may be proved by induction on t2 as in Lemma 3.5 of [91], since the 
encoding function is the same, or we can appeal to the compositionality property of Hybrid, 
proved as Theorem 4.3 of [28], by unfolding the Hybrid definition of the constructors. The 
proof of the second part is a similar induction on £2- D 

Note that completeness and compositionality do not depend on fact (1). 



3.3 Encoding Object-Level Judgments 

We now turn to the encoding of object-level judgments. In this and the next section, we will 
consider the standard judgments for big-step call-by-value operational semantics (e J| v) and 
type inference (F h e : t), depicted in Figure 2. Evaluation can be directly expressed as 
an inductive relation (Figure 3) in full HOAS style. Note that substitution is encoded via 
meta-level jS -conversion in clauses for ev_app and evJix. 

This definition is an honest to goodness inductive relation that can be used as any 
other one in an HOL-like setting: for example, queried in the style of Prolog, as in 
3? . f ix X . fu n y. X @ y ||. f , by using only its introduction rules and abstraction solving. Further 
this kind of relations can be reasoned about using standard induction and case analysis. In 



5r{er{t))=t. 



Note that Isabelle/HOL provides a basic intuitionistic prover iprover, and it could be connected to an 
external more efficient one via the sledgehammer protocol. 
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£>i i}. fun X. £■', e2 i}. V2 [v2 Ale'i ^ v 



- ev.app 



fun X. e J| fun x. e 



[Sxx.e/x]e JJ, v 

- ev_fun ev_fix 

flxxe 4 1' 



r,.r:Tl-e:T' r,.r:Tl-e:T 

- tp Jun tpjix 



r h fun x. e : T t' F h fixA;. e : T 

r(j:) = T r h ei : t' ^ T F h ^2 : t' 

tp.var tp_app 

r h.T : T r hei • e2 : T 



Fig. 2 Big step semantics and typing rules for a fragment of Mini-ML. 



Inductive . Ij. . :: [uexp,uexp] ^ bool 
lEii^funx.E' x; £2^ V2; (£' y2) 4 V;abstr £' ]] ^ (£1 @ £2) -IL V 

[[ 1^ isterm (funA:.£ .v);abstr £ ]] =^ funA:.£ x JJ. funx£ x 
[[E {f\xx.E x) il-V; 11= isterm (fix ;c.£ x);abstr £ J =^ f\xx.Exiv 



Fig. 3 Encoding of big step evaluation in Mini-ML. 



fact, the very fact that evaluation is recognized by Isabelle/HOL as inductive yields inver- 
sion principles in the form of elimination rules. This would correspond, in meta-logics such 
as Line, to applications of definitional reflection. In Isabelle/HOL (as well as in Coq) case 
analysis is particularly well- supported as part of the datatype/inductive package. Each predi- 
cate p has a general inversion principle p . elim, which can be specialized to a given instance 
(p t) by an ML built-in function p.mk_cases that operates on the cumnt simplification set; 
specific to our architecture, note again the abstraction annotations as meta-logical premises 
in rules mentioning binding constructs. To take this into account, we call this ML function 
modulo the quasi-freeness properties of Hybrid constructors so that it makes the appropriate 
discrimination. For example the value of meval_mk_cases (funx.Zi ||. V) is: 

(meval_fun_E) [[ funjc.fi .« 4]. V; /\F[[0 |^ isterm (funx.Fjc); abstrF 
lambda £ = lambda F; V = fun.«. F jc ]] =4> P ]]=► P 

Note also that the inversion principle has an explicit equation lambda £ = lambda F 
(whereas definitional reflection employs full higher-order unification) and such equations 
are solvable only under the assumption that the body of a A -term is well-behaved {i.e., is an 
abstraction). 

Finally, using such elimination rules, and more importantly the structural induction prin- 
ciple provided by Isabelle/HOL's inductive package, we can prove standard meta-theorems, 
for instance uniqueness of evaluation. 
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MC-Theorem 13 (evaLunique) E ij. F =^'iG. E G — > F = G. 

Proof By induction on the structure of the derivation of £ J| F and inversion on E i}. G. □ 

The mechanized proof does not appeal, as expected, to the functionality of substitution, 
as the latter is inherited by the meta-logic, contrary to first-order and "weak" HOAS encod- 
ings (see Section 6.4). Compare this also with the standard paper and pencil proof, which 
usually ignores this property. 

We can also prove some "hygiene" results, showing that the encoding of evaluation 
preserves properness and well-formedness of terms: 

MC-Lemma 14 (evaLproper, evaListerm) 

1 . £ 1). V => proper E A proper V 

2. E i}.V => 11= isterm £:A0 ||= isterm V 

Note the absence in Figure 3 of any proper assumptions at all: only the isterm assumptions in 
the application and fixed point cases are needed. We have included just enough assumptions 
to prove the above results. In general, this kind of result must be proven for each new OL, 
but the proofs are simple and the reasoning steps follow a similar pattern for all such proofs. 

With respect to the adequacy of object-level judgments, we can establish first the usual 
statements, for example soundness and completeness of the representation; for the sake of 
clarity as well as brevity in the statement and proof of the lemma we drop the infix syntax in 
the Isabelle/HOL definition of evaluation, and omit the obvious definition of the encoding 
of said judgment: 

Lemma 15 (Soundness of the encoding of evaluation) Let e and v he closed Mini-ML 
expressions such that e JJ. v; then we can prove in Isabelle/HOL (eval £0{e) £0(1')). 

Proof By induction on the derivation of e J| v. Consider the ev_fun case: by defi- 
nition of the encoding on expressions and its soundness (Lemma 10) we have that 
11= isterm e0(fun.x:. e) is provable in Isabelle/HOL; by definition and inversion |^ 
isterm (fun.t. ev(e)) and abstr (Ax. £xie)) holds, hence by the introduction rules of the induc- 
tive definition of evaluation (eval funjc. ev(e) funx.£x{e)) is provable, that is, by definition, 
(eval e0(funx.e) £0{fanx.e)). The other two cases also use compositionality (Lemma 12) 
and the induction hypothesis. □ 

Lemma 16 (Completeness of the encoding of evaluation) If (eval E V) has a minimal 
derivation in Isabelle/HOL, then 80 (E) and S0{V) are defined and yield Mini-ML expres- 
sions e and v such that e ^v. 

Proof It follows from MC-Lemma 14 that 1 1= isterm E and 1 1= isterm V, and thus from 
Lemma 11 that 50{E) and 50{V) are defined. The proof of e JJ. v follows directly by induc- 
tion on the minimal derivation of (eval E V), using compositionality (Lemma 12). □ 

Now that we have achieved this, does that mean that all the advantages of HOAS are now 
available in a well-understood system such as Isabelle/HOL ? The answer is, unfortunately, 
a qualified "no". Recall the three "tenets" of HOAS: 

1. a-renaming for free, inherited from the ambient A -calculus identifying meta-level and 
object-level bound variables; 
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2. object-level substitution as meta-level jS -reduction; 

3. object-level contexts as meta-level assumptions. 

As of now, we have achieved only the first two. However, while accomplishing in a con- 
sistent and relatively painless way the first two points above is no little feat,''* the second 
one, in particular, being in every sense novel, no HOAS system can really be worth its name 
without an accounting and exploiting of reasoning in the presence of hypothetical and para- 
metric judgments. We consider the standard example of encoding type inference (Figure 2) 
in a language such as Twelf. Using Isabelle/HOL-like syntax (where we use bool for Twelf 's 
type, the tp_app, tp_fun, and tpJix rules would be represented as follows: 

[iiexp, tp\ => bool 
{El @E2):T 
(funx.Ex) : {T ^T') 
(fix x.E x) :T 

Each typing judgment jc : T in an object-level context (F in Figure 2) is represented as a 
logical assumption of the form x . T . In the spirit of higher-order encoding, there is no 
explicit representation of contexts and no need to encode the tp_var rule. However, because 
of the underlined negative recursive occurrences in the above formulas, there is simply no 
way to encode this directly in an inductive setting, short of betraying its higher-order nature 
by introducing ad-hoc datatypes (in this case lists for environments) and, what's worse, all 
the theory they require. The latter may be trivial on paper, but it is time-consuming and has 
little to do with the mathematics of the problem.'^ 

Moreover, at the level of the meta-theory, it is only the coupling of items 2 and 3 above 
that makes HOAS encodings — and thus proofs — so elegant and concise; while it is nice 
not to have to encode substitution for every new signature, it is certainly much nicer not to 
have to prove the related substitution lemmas. This is precisely what the pervasive use of 
hypothetical and parametric judgments makes possible — one of the many lessons by Martin- 
Lof. 

Even when hypothetical judgments are stratified and therefore inductive, using Hybrid 
directly within Isabelle/HOL {i.e., at a single level as will become clear shortly) has been 
only successful in dealing with predicates over closed terms (such as simulation). However, 
it is necessary to resort to a more traditional encoding, i.e., via explicit environments, when 
dealing with judgments involving open objects. These issues became particularly clear in the 
case-study reported in [79], where the Hybrid syntax allowed the following elegant encoding 
of closed applicative (bi)simulation [1]: 

[[Vr. .RJIfunjc.rx — ^ (abstrJ — > 
3U. S \y^unx.U xAabstr U AMp. {T p) ^ {U p))i 
=^ R4 S 

together with easy proofs of its basic properties (for example, being a pre-order). Yet, dealing 
with open (bi)simulation required the duplication of analogous work in a much less elegant 
way. 

This does not mean that results of some interest cannot be proved working at one level. 
For example, the aforementioned paper (painfully) succeeded in checking non-trivial results 

Compare tliis to other methods of obtaining a-conversion by constructing equivalence classes [38, 113] 
in a proof assistant. 

" A compromise is the "weak" HOAS view mentioned earlier and discussed in Section 6.4. 



[[£i : {T' ^T);E2:T']] => 
[[ \fx ( x:T -^{Ex): T') ]] =^ 
\[Vx ( x:T -^(Ex): T) 
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such as a Howe-style proof of congruence of applicative (bi)simulation [56].'^ Another 
example [2] is the quite intricate verification of subject reduction of MIL-LITE [9], the 
intermediate language of the MLj compiler [10]. 

In those experiments, HOAS in Isabelle/HOL seemed only a nice interlude, soon to be 
overwhelmed by tedious and non-trivial (at least mechanically) proofs of list-based proper- 
ties of open judgments and by a number of substitutions lemmas that we had hoped to have 
eliminated for good. These are the kinds of issues we address with the two-level architecture, 
discussed next. 



4 A Two-Level Architecture 

The specification level mentioned earlier (see Figure 1) is introduced to solve the problems 
discussed in the previous section of reasoning in the presence of negative occurrences of 
OL judgments and reasoning about open terms. A specification logic (SL) is defined induc- 
tively, and used to encode OL judgments. Since hypothetical judgments are encapsulated 
within the SL, they are not required to be inductive themselves. In addition, SL contexts can 
encode assumptions about OL variables, which allows reasoning about open terms of the 
OL. We introduce our first example SL in Section 4.1. Then, in Section 4.2, we continue the 
discussion of the sample OL introduced in Section 3, this time illustrating the encoding of 
judgments at the SL level. In Section 4.3, we discuss proof automation and in Section 4.4 
we present a variant of the proof in Section 4.2 that illustrates the flexibility of the system. 



4. 1 Encoding the Specification Logic 

We introduce our first SL, namely a fragment of second-order hereditary HaiTop formu- 
las [75]. This is sufficient for the encoding of our first case-study: subject reduction for the 
sub-language of Mini-ML that we have introduced before (Figure 2). The SL language is 
defined as follows, where t is a ground type and A is an atomic formula. 

Clauses D::=T\A\Di ADo \ G^A\ M^x. D \ V^'^jf. D 

Goals G ::= T I A I Gi A G2 I A ^ G I \f\x. G 
Context r ::= \A,r 

The T in the grammar for goals is instantiated with expr in this case. Thus, quantification is 
over a ground type whose exact elements depend on the instantiation of con, which, as dis- 
cussed in Section 4.2, is defined at the OL level. Quantification in clauses includes second- 
order variables. We will use it, for instance, to encode variables E of type expr expr that 
appear in terms such as funx.E x. Quantification in clauses may also be over first-order vari- 
ables of type expr, as well as over variables of other ground types such as tp. In this logic, we 
view contexts as sets, where we overload the comma to denote adjoining an element to a set. 
Not only does this representation make mechanical proofs of the standard proof-theoretic 
properties easier compared to using lists, but it is also appropriate for a sequent calculus that 
enjoys contraction and exchange, and designed so that weakening is an admissible property. 
This approach will also better motivate the use of lists in sub-structural logics in the next 



" However, it would take a significant investment in man-months to extend the result from the lazy A- 
calculus to more interesting calculi such as [60]. 
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£;(r,A) -^nG 



-init 



i;;(r,A) — >nA 2;;r — >nA^G 



i::r — >n Gi AG2 



L-.r — >n T £;r — V,v. G 

£;r — >n G A < — G e [n] 



-be 



£;r 



Fig. 4 A minimal sequent calculus with backchaining 



section. Further, in our setting, contexts are particularly simple, namely sets of atoms, since 
only atoms are legal antecedents in implications in goals. 

The syntax of goal formulas can be directly rendered with an Isabelle/HOL datatype: 

datatype 09 = tt | {atm) \ 00 and 00 \ atm imp 00 \ all {expr =^ 00) 

We write atm to represent the type of atoms; (_) coerces atoms into propositions. The defi- 
nition of atm is left as an implicit parameter at this stage, because various instantiations will 
yield the signature of different OLs, specifically predicates used to encode their judgments. 

This language is so simple that its sequent calculus is analogous to a logic programming 
interpreter. All clauses allowed by the above grammar can be normalized to (a set of) clauses 
of the form: 

Clauses D ::= V^i.ti . . .V^-'jc,, [G ^ A) 

where « > 0, and for i = 1 , . . . , «, ct,- is either a ground type, or has the form Ti T2 where 
Ti and T2 are ground types. In analogy with logic programming, when writing clauses, out- 
ermost universal quantifiers will be omitted, as those variables are implicitly quantified 
by the meta-logic; implication will be written in the reverse direction, i.e., we write sim- 
ply A i — G,'^ or when we need to be explicit about the quantified variables, we write 
VZ(A ■< — G) where E = {ji:i,...,jc„}. This notation yields a more proof-search oriented 
notion of clauses. In fact, we can write inference rules so that the only left rule is similar 
to Prolog's backchaining. Sequents have the form Z;F — )-n G, where T, is the current sig- 
nature of eigenvariables and we distinguish clauses belonging to a static database, written 
n, from atoms introduced via the right implication rule, written F. The rules for this logic 
are given in Figure 4. In the be rule, [TI] is the set of all possible instances of clauses in J7 
obtained by instantiating outermost universal quantifiers with all closed terms of appropriate 
types. 

" This is also why we can dispose of the mutual definition of clauses and goals and avoid using a mutually 
inductive datatype, which, in the absence of some form of subtyping, would make the encoding redundant. 
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Inductive :: [atm set,nat,oo] ^ bool 

=^ r >„ tt 

[[ r 0„ Gi ; r >„ G2 ]] ^ r t>„+i (G, and Gj) 
I V.Y. proper .V — >r>„{Gx)]] =^ F >„+i (alljc.G x) 
[[A,rt>„G]] =^ r[>„+i(AimpG) 

[[Ae r]] ^r[>„(A) 
[[A^G;rt>„G]] =^ rc.,,+1 (A) 



Fig. 5 Encoding of a minimal specification logic 



This inference system is equivalent to the standard presentation of minimal logic [59], 
where the right rules are the same and the left rales (given below) for conjunction, implica- 
tion and universal quantification replace the be rule. 



E;r,DuD2^nG E-r,D[t/x] G 

Al Vl 

E;r,DiAD2 — >nG E;r,\fx.D — >n G 

E;r — >nG E;r,B — >nA 

-^L 

E;r,{G^B) -^nA 



In fact, the be rule is derivable by eliminating the universal quantifiers until the head of a 
clause matches the atom on the right and then applying — >l. The reader should remember 
that we are working in an ambient logic modulo some equational theory (in the case of 
Isabelle =apT}) and that both atomic rules (init and be) are applicable in the case when an 
atom on the right appears as an assumption and unifies with the head of a definite clause in 
the program FI. Thus, we can inherit the completeness of uniform provability [75] w.r.t. an 
ordinary sequent calculus, which holds for a much more expressive conservative extension 
of our SL, namely higher-order Harrop formulas. 

We encode this SL in Figure 5. We use the symbol t> for the sequent arrow, in this case 
decorated with natural numbers that represent the height of a proof; this measure allows us 
to reason by complete induction.'** For convenience we write F t> G if there exists an n such 
that r t>„G, and furthermore we simply write [> G when o G. The first four clauses of the 
definition directly encode the introduction (R) rules of the figure. In the encoding of the V« 
rale, when we introduce new eigenvariables of type expr, we need to assume that they are 
proper. This assumption might be required for proving subgoals of the form (abstrZ?) for 
subterms E :: expr expr that appear in the goal as arguments to binding constractors; see 
MC -Lemma 3 (proper^abst). 

We remark that the only dependence on Hybrid in this layer is on the definition of proper. 
This will also be true of the SL we consider in Section 5. Although we do not discuss it here, 
we could use SLs with (different) kinds of quantifiers that could not be implemented via a 

Proven in the Isabelle/HOL's library in the form (/\ n. Mm < n. P m =>■ P n) =^ P x. 
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datatype but only with Hybrid constants; for example universal quantification in higher- 
order logic. In this case, the specification layer would have a much greater dependence 
on Hybrid. On the other hand, if we take the alternative solution to proper terms mentioned 
earlier (when discussing MC-Lemma 3) and replace expr with a type prpr containing exactly 
the terms that satisfy proper, and consider only the SLs presented in this paper, then these 
SLs can be parameterized by the type of terms used in quantification, and can be instantiated 
with types other than prpr. 

In the last two rules in Figure 5, atoms are provable either by assumption or via 
backchaining over a set of Prolog-like rules, which encode the properties of the OL in ques- 
tion as an inductive definition of the predicate prog of type [atm,oo] bool, which will be 
instantiated in Section 4.2. The sequent calculus is parametric in those clauses and so are 
its meta-theoretical properties. Because prog is static it will be mentioned explicitly only 
in adequacy proofs. The notation A < — G in Figure 5 represents an instance of one of the 
clauses of the inductive definition of prog. 

As a matter of fact our encoding of the judgment F >„ G can be seen as a simple exten- 
sion of the so-called "vanilla" Prolog meta-interpreter, often known as demo [53]; similarly, 
the be rule would correspond to the following clause, using the predicate prog in place of 
Prolog's built-in clause: 



but this yields no real increase in expressivity, as existentials in the body of goals can be 
safely transformed to outermost universal quantifiers, while (continuing the logic program- 
ming analogy) the above rule simply delegates the witness choice to the ambient logic uni- 
fication algorithm. 

As before, the fact that provability is inductive yields inversion principles as elimination 
rules. For example the inversion theorem that analyzes the shape of a derivation ending in 
an atom from the empty context is obtained simply with a call to the standard mk_cases 
function, namely mk_cases" \>j (A)" is: 



The adequacy of the encoding of the SL can be established adapting the analogous 
proof in [69]. To do so, we overload the decoding function in several ways. First, we need to 
decode terms of types other than expr. For example, decoding terms of type expr expr is 
required for most OLs. For Mini-ML, we also need to decode terms of type tp. The decoding 
is extended in the obvious way. For example, for decoding second-order terms, we define 
5e{^x.E x) = )ix.5z.x{E x). Second, to decode both goals and clauses, we extend E to 
allow both first- and second-order variables. We can then extend the decoding so that if G 
is a term of type oo with free variables in E, then 8z{G) is its translation to a formula of 
minimal logic, and if F is a set of terms of type atm set, then ^^(F) is its translation to a 
set of atomic formulas of minimal logic. In addition, we restrict the form of the definition of 
prog so that every clause of the inductive definition is a closed formula of the form: 



demo(Gaiiima, s(N), a) : — prog(A,G), demo(Gamma, N, G). 



Existential quantification could be added to the grammar of goals, as follows: 



[[ 3a'.F (Gx) ]] =^ F [>„+i (exx. G x) 



[[ >j{A); l\Gi.lAi — G; l>;G; ; = Smc / ]] ==^ P ]] ==> P 
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where Z is a set of variables including at least Ei,. . .,E„, each of type expr expr, with 
n > 0. To obtain a theory in minimal logic that corresponds to the definition of prog, we 
decode each clause to a formula of minimal logic of the form VZ(5x(G) — > ^^(A)). For 
SL adequacy, we also need to introduce two conditions, which become additional proof 
obligations when establishing OL adequacy. They are: 

1 . It is only ever possible to instantiate universal quantifiers in prog clauses with terms for 
which the decoding is defined. 

2. For every term E :: expr expr used to instantiate universal quantifiers in prog clauses, 
(abstr E) holds. 

The latter will follow from the former and the fact that for all terms E : : expr => expr for 
which the decoding is defined, (abstr E) holds. 

Lemma 17 (Soundness and completeness of the encoding of the specification logic) Let 

prog be an inductive definition of the restricted form described above, and let TI be the 
corresponding theory in minimal logic. Let G be a formula of type oo and let F be a set of 
atoms. Let E be a set of variables of type expr that contains all the free variables in F and G. 
Then the sequent proper E =^ F t>G has a minimal derivation in Isabelle/HOL (satisfying 
conditions 1 and 2 above) if and only if there is a derivation of E\5j:{F) — >n Sl{G) 
according to the rules of Figure 4. 

Proof The proof of the forward direction follows directly by induction on the minimal 
derivation of proper E F>G. Compositionality (Lemma 12) is needed for the case when 
F o G is proved by the last clause of Figure 5. The proof of the backward direction is by 
direct induction on the derivation of E;5e{F) — >r[ Compositionality (Lemma 12) 

and conditions 1 and 2 are needed for the be case. 

MC-Theorem 18 (Structural Rules) The following rules are admissible: 

7. Height weakening: [[ F >„ G\ n <m ]] F >„, G. 

2. Context weakening: [[ F [>„ G; F CF' ]] F' i>„ G. 

3. Atomic cut: [[A,F>G;F\>{A)]]=^F\>G. 

Proof 

1. The proof, by structural induction on sequents, consists of a one-line call to an automatic 
tactic using the elimination rule for successor (from the Isabelle/HOL library) and the 
introduction rules for the sequent calculus. 

2. By a similar fully automated induction on the structure of the sequent derivation, com- 
bining resolution on the sequent introduction rules with simplification in order to dis- 
charge some easy set-theoretic subgoals. 

3. Atomic cut is a corollary of the following lemma: 

[[A,Fi>iG;F >j (A) ]] =^ F >,■+; G 

easily proved by complete induction on the height of the derivation of A,F >, G. The 
whole proof consists of two dozen instructions, with very little ingenuity required from 
the human collaborator. 

□ 



This lemma turns out to be fairly useful, as it permits manipulation as appropriate of the height of two 
sub-derivations, such as in the Ar rule. 
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Inductive _ < — _ :: [atm,oo\ bool 

isterm E\ @ E2 < — (isterm £"1) and (isterm £2) 
[[abstri;]! =^ isterm funx.i? x < — alljc. (isterm x) imp (isterm (-E-v)) 
[[abstri;]] =^ isterm fix x.ii x < — allx. (isterm x) imp (isterm (-Ex)) 

[[ abstr £| ]] ^ £1 @ £2 -IL V < — 

(£1 J|funx.£; x) and (£24^2) and ((£{ V2) i^V) 
[[ abstr £]] funx.£ x ^ funx.£ x < — (isterm (funx.£x)) 
[[ abstr £]] =^ fixx.£xJJ,y < — (£ (fixx.£ x) ^ V) and (isterm (fixx.£x)) 

=^ {El @ £2) : r < — (£| : (T' T)) and (£2 : T') 
[[ abstr £ ]] =^ (funx.£ x) : (T ^ T') < — allx. (x : T) imp ((£ x) : T') 
[[ abstr £]] =^ (fixx.Ex) : r< — allx.(x : T) imp ((£x) : T) 



Fig. 6 OL clauses: encoding of well-formedness, evaluation and typing. 



4.2 The Object Logic 

Recall the rules for call-by-value operational semantics (e |). v) and type inference (F h e : t) 
given in Figure 2. The subject reduction for this source language is stated as usual. 

Theorem 19 (Subject Reduction) Ife J| v and h e : t, then h v : t. 

Proof By structural induction on evaluation and inversion on typing, using weakening and 
a substitution lemma in the ev_app and ev_flx cases. □ 

We now return to the encoding of the OL, this time using the SL to encode judgments. 
The encoding of OL syntax is unchanged. (See Section 3.) Recall that it involved introducing 
a specific type for con. Here, we will also instantiate type atm and predicate prog. In this 
section and the next, we now also make full use of the definitions and theorems in both 
Hybrid and the SL layers. 

Type atm is instantiated as expected, defining the atomic formulas of the OL. 

datatype atm = isterm iiexp \ uexp JJ. uexp \ uexp : tp 

The clauses for the OL deductive systems are given as rules of the inductive definition prog 
in Figure 6 (recall the notation _ i — _). Recall that the encoding of evaluation in Figure 3 
and the encoding of the isterm predicate for adequacy purposes both used inductive defini- 
tions. Here we define them both at the SL level along with the OL level typing judgment. 
Note that no explicit variable context is needed for this version of isterm. They are handled 
implicitly by the contexts of atomic assumptions of the SL, resulting in a more direct en- 
coding. As before, in the evaluation clauses, there are no proper assumptions and two isterm 
assumptions. Neither kind of assumption appears in the clauses for the typing rules. None is 
required to prove the analogue of MC-Lemma 14 for both evaluation and typing. 

MC-Lemma 20 (evaLproper, evaListerm, hastype.proper, hastypeJsterm) 

1 . > (£ J| V) => proper E A proper V 

2. > (£ .(]. V) =^ O (isterm £) A l> (isterm V) 

3. t> {E : T) ==> proper £ 

4. r> {E : T) =^ \> (isterm E) 
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Proof All the proofs are by standard induction on the given derivation, except the last one, 
whose statement needs to be generalized as follows: 

[[ V£, T.{E:T)er — > (isterm E) e F'; F {E : T) ]] =^ F' (isterm E) 

□ 

With the new version of isterm, we restate the Validity and Completeness of Representation 
lemmas (Lemmas 10 and 11). Let F be the set {xi : uexp, ...,x„ : uexp} and let F be the set 
of atoms {isterm X] , . . . , isterm x„}. 

Lemma 21 (Two-level Validity of Representation) IfF h e, then the following is provable 
in Isabelle/HOL: 

proper F =4> F l> (isterm £r{e)) 

Lemma 22 (Two-level Completeness of Representation) If there is a minimal derivation 
in Isabelle/HOL of proper F F [> (isterm E), then 5r{E) is defined and yields a Mini- 
ML expression t such that F h / and £r{8r{E)) = E. Furthermore, 5r{£r{t)) = t. 

We will skip the statement and proof of two-level adequacy of the other OL judgments, hop- 
ing that the reader will spot the similarity with the above two lemmas. Note that, although 
we do not state it formally, condition 1 of Lemma 17 follows from completeness lemmas 
such as Lemma 22. The isterm and abstr assumptions added to the clauses of Figure 6 are 
exactly the ones needed to establish this fact for this OL. 

We remark again that the combination of Hybrid with the use of an SL allows us to 
simulate definitional reflection [50] via the built-in elimination rules of the prog inductive 
definition without the use of additional axioms. For example the inversion principle of the 
function typing rule is: 

[[(funx.(£.x:) : t) i — G;/\F Tx [[ abstr F;G = all.«. (.x : Ti) imp {{Fx) : T2)); 

lambda £ = lambda F;T= {Ti Tj) ]\ =^ P =^ P 

Before turning to the proof of Theorem 19, we first illustrate the use of this encoding 
with the following simple OL typing judgment. 

MC-Lemma23 37. i> (funx.funy.x @ y : 7) 

Proof This goal is equivalent to: 3T3n.0 >„ (funx. funy.jc @ y : T). It can be proved fully 
automatically by a simple tactic described below. Here, we describe the main steps in detail 
to acquaint the reader with the OL/SL dichotomy and in particular to show how the two 
levels interact. We use the instantiations for T and n that would be generated by the tactic 
and show: 

l>8 (funx.funy.jc @ y : (i — > i) — > (i ^ i)). 

We apply the last rule of the SL in Figure 5, instantiating the first premise with the OL clause 
from Figure 6 encoding the tp_fun rule for typing abstractions, leaving two premises to be 
proved: 

{funx.funy.x @ y) : (i i) — > (i ^ i) < — aWx. {x : \ ^ i) imp {funy.x @ y : i — >• i); 
[>7 allx. {x : \ ^ \) imp {funy.x @ y : i — > i). 
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The first now matches directly the clause in Figure 6 for tpJun, resulting in the proof 
obligation (abstr Ax.funy.j: @ y) which is handled automatically by abstr_tac discussed in 
Section 3. To prove the second, we apply further rules of the SL to obtain the goal: 

[[ proper x ]] =4> {x : i — > i} l>g {funy.x @ y : i — > i). 

We now have a subgoal of the same "shape" as the original theorem. Repeating the same 
steps, we obtain: 

[[ proper x; proper y ]] ==> {x : \ ^ \,y : ]} r>2 {x @ y : \} . 

Along the way, the proof obligation (abstr ?iy.x @ y) is proved by abstr_tac. The assumption 
(proper a) is needed to complete this proof. At this point, we again apply the SL backchain 
rule using the OL clause for tp_app, obtaining two subgoals, the first of which is again 
directly provable from the OL definition. The second: 

[[ proper x; proper y ]] ==> {x : i — )■ i,y : i} l>i {x : i i) and (y : i). 

is completed by applying the rules in Figure 5 encoding the Ar and init rules of the SL. □ 

The code for the 2lprolog_tac tactic automating this proof and others involving OL goals 
using the SL is a simple modification of the standard f ast_tac tactic: 

fun 21prolog_tac defs i = 

f ast_tac (HOL_cs addls seq.intrs ® prog.intrs 

(simpsetO addSolver (abstr_solver defs))) i; 

It is based on logic programming style depth-first search (although we could switch to 
breadth-first or iterative deepening) using a small set of initial axioms for the core of higher- 
order logic (HOL_cs), the rules of the SL (seq.intrs) and of the OL (prog.intrs). Addi- 
tionally, it also employs simplification augmented with abstr_tac as discussed in Section 3. 

Now we have all the elements in place for a formal HO AS proof of Theorem 19. Note 
that while a substitution lemma for typing plays a central role in the informal subject reduc- 
tion proof, here, in the HOAS tradition, it will be subsumed by the use of the cut rule on the 
hypothetical encoding of the typing of an abstraction. 

MC-Theorem 24 (OL_subject_reduction) 

Vn. >„ (Ei^V)=^ (VT. O (£ : r) ^ t> (y : T)) 



Proof The proof is by complete induction on the height of the derivation of evaluation. It 
follows closely the proofs in [36,69], although those theorems are for the lazy A -calculus, 
while here we consider eager evaluation. Applying meta-level introduction rules and induc- 
tion on n, we obtain the sequent: 

[[IH; >„{Ei),V), > {E:T)]]=>t> {V:T) 

where IH is the induction hypothesis: 

Vm < n. E, V. >,„ {E ^V) — > (VJ. > {E:T) — > > {V : T)). 

Since the right side of the SL sequent in the middle hypothesis is an atom and the left side 
is empty, any proof of this sequent must end with the last rule of the SL in Figure 5, which 
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implements the be rule. Also, since the right side is an evaluation judgment, backchaining 
must occur on one of the middle three clauses of the OL in Figure 6, thus breaking the 
proof into three cases. In the formal proof, we obtain these three cases by applying standard 
inversion tactics: 

llH[i+\/n]; abstrfij; ( (£i J| fun.x.fij x) and (i'a V2) and {{E[ V2) ^V)); 

t> {{El @ E2) ■.T)]]=^t> {V:T) (2) 

[[IH[i+]./n\; abstr£; (isterm {funx.E x)); r> {{funx.E x) : T) ]] 

=4> > {{^unx.Ex) : T) 

lIH[i+\/n]; abstr£; {>i{E {^\xx.E x) \^V) and (isterm {V\x x .E x))); 

\> {{'!\xx.Ex) : r) ]] ==^ i> (y : r) 

where lH[i + 1/h] denotes IH with the single occurrence of n replaced by ( + 1. The theo- 
rems mentioned earlier about injectivity and distinctness of the constructors fun, @, and fix 
are used by the inversion tactics. In contrast, in the proof in [36], because these construc- 
tors were not defined inductively, specialized inversion theorems were proved from axioms 
stating the necessary injectivity and distinctness properties, and then applied by hand. The 
second subgoal above is directly provable. We illustrate the first one further. Applying in- 
version to both the third and fourth hypotheses of the first subgoal, the subgoal reduces it 
to: 

[[///[!> 3/«] ; a bstrEj; t-i+i {Ex \yf\inx.E[ x)\ l>,-+i (£2 V2); 

{{E[ V2) ilV);> {Ei-.r ^T);> {Eo : T') ]] 

^t>{V:T). 

It is now possible to apply the induction hypothesis to the typing and evaluation judgments 
for E\ and E2 to obtain: 

[[///[(> 3/n] ; abstrfj; c>;+i (£1 |t funx.Sj x); l>i {E2 f^Vi); l>i {{E[V2) !^V)\. . 

I> (fun.x:.^; X : T' T); > {V2 : 7") ]] 

We can now apply inversion to the hypothesis with the arrow typing judgment involving 
both the fun constructor of the OL and the all constructor of the SL. Inversion at the OL 
level gives: 

[[///[(> 3/n] ; abstrfj; i>,-+i (£1 4 funx.^J x); >; (S2 4 V2); f>i {{E[ V2) ij-V); . . 

> {V2 ■■ T'); abstrf; lambda £ = lambda £■{; > a\\x.{x: T' imp {{Ex) : T)) ]] 

^>{V:T). 

The application of the inversion principle prog . mkH_cases similar to the one from Section 3 
is evident here. MC -Theorem 4 can be applied to conclude that E = E[. Applying inversion 
at the SL level gives: 

[[/;/[!>3/«]; abstr£; i>,-+i (£1 4 fun.«.£ .f); >/ (£2 4 V2); >,■((£ y2) -11 V); ... ; 

[> {V2 ■■ T'); Vjc. (proper jr — >t>x: T' imp {{Ex) : T)) ]] 

=>:>{V:T). 
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Inversion cannot be applied directly under the universal quantification and implication of 
the last premise, so we prove the following inversion lemma, which is also useful for the fix 
case of this proof. 

[[ Vjc. proper x — ^ F i>; (j; : imp ((£ x) : T^) ) ]] =^ 3;. / = ; + 1 A (3) 

Vx. proper x — > 
{x:T,,rt>j{{Ex):T2)) 
From this lemma, and the fact that (proper V2) holds by MC -Lemma 14, we obtain: 

[[///[/ + 3/n] ; abstr£; {Ey ^^unx.E x)\ l>i{E2^V2); O, ((£ ^2) J| V); • • • ; 

O {V2:r);{{V2:r)t>j{{EV2):T)n 
=^t>{V:T). 

Applying the cut rule of MC-Theorem 18 allows us to conclude i> {{E V2) '■ T) . We can 
then complete the proof by applying the induction hypothesis a third time using this fact and 

>,{{EV2)i^v). a 

A key point in this section, perhaps worth repeating, is that the clauses for typing are 
not inductive and would be rejected in an inductive-based proof assistant, or at best, asserted 
with no guarantee of consistency. Here, instead, the typing rules are encapsulated into the 
OL level (the prog predicate) and executed via the SL, so that OL contexts are implicitly 
represented as SL contexts. Therefore, we are able to reproduce full HOAS proofs, at the 
price of a small degree of indirectness — the need for an interpreter (the SL) for the prog 
clauses (the OL). One may argue that this seems at first sight a high price to pay, since we 
lose the possibility of attacking the given problem directly within the base calculus and its 
tools. However, very simple tactics, including a few safe additions to Isabelle/HOL's default 
simplifier and rule set-" make the use of the SL in OL proofs hardly noticeable, as we explain 
next. 



4.3 Tactical support 

We chose to develop Hybrid as a package, rather than a stand-alone system mainly to exploit 
all the reasoning capabilities that a mature proof assistant can provide: decision procedures, 
rewrite rules, counter-model checking, extensive libraries, and support for interactive theo- 
rem proving. Contrast this with a system such as Twelf, where proofs are manually coded 
and post-hoc checked for correctness. Moreover, in Twelf as well as in Abella, any do- 
main specific knowledge has to be coded as logic programming theories and all the relevant 
theorems proven about them.^' At the same time, our aim is to try to retain some of the 
conciseness of a language such as LF, which for us means hiding most of the administrative 
reasoning concerning variable binding and contexts. Because of the "hybrid" nature of our 
approach, this cannot be completely achieved, but some simple-minded tactics go a long 
way toward mechanizing most of boilerplate scripting. We have already explained how to 
use specific tactics to recognize proper terms and abstractions. Now, we can concentrate on 
assisting two-level reasoning, which would otherwise be encumbered by the indirection in 
accessing OL specifications via the SL. Luckily, Twelf-like reasoning-^ consists, at a high- 

In Isabelle a rule is considered safe roughly if it does not involve backtracking on instantiation of un- 
knowns. 

^' Twelf does have constraint domains such as the rationals, but those are cuiTently incompatible with 
totality checking, making meta-proofs very hard to trust. 
In Abella this is even more apparent. 
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Inductive _J| _ :: [uexp.uexp] bool 
[[£] i^funx.E' x; & (E' V2) ij-V; abstr£']] =^ (Ei ©£2)^^ 

[[ l> (isterm (fur\x.E x)); abstr£]] =^ funx.E x ij-funx.E x 
[[E {f\xx.E x) i}.V; >isterm (fixx.£.v); abstrE]] ^ Uxx.E x\}.V 



Fig. 7 Alternate HOAS encoding of big step evaluation 



level, of three basic steps: inversion, which subsumes instantiation of (meta-level) eigen- 
variables as well as (case) analysis on the shape of a given judgment, backchaining (filling, 
in Twelf 's terminology) and recursion. This corresponds to highly stereotyped proof scripts 
that we have abstracted into: 

1. an inversion tactic defL_tac, which goes through the SL inverting on the be rule and 
applies as an elimination rule one of the OL clauses. This is complemented by the eager 
application of other safe elimination rules (viz. invertible SL rules such as conjunction 
elimination). This contributes to keeping the SL overhead to a minimum; 

2. a dual backchaining tactic defR_tac, that calls be and the applicable prog rule. The latter 
is the basic single step into the tactic 2lprolog_tac, which performs automatic depth first 
search (or other searches supported by Isabelle) on Prolog-like goals; 

3. a complete induction tactic, to be fired when given the appropriate derivation height by 
the user and yielding as additional premise the result of the application of the IH. 

4.4 A Variation 

As mentioned, the main reason to explicitly encode a separate notion of provability is the 
intrinsic incompatibility of induction with non-stratifiable hypothetical judgments. On the 
other hand, as remarked in [77], our definition of OL evaluation, though it exploits Hybrid's 
HOAS to implement OL substitution, makes no use of hypothetical judgments. In fact, our 
encoding in Figure 3 showed that it is perfectly acceptable to define evaluation of the OL at 
the meta-level. Now, we can give a modified version of this definition using the new isterm 
defined at the SL level. The new definition is given in Figure 7. Moreover, it is easy to show 
(formally) that the encoding in Figure 7 is equivalent to the one in Figure 6: 

MC-Theorem 25 £ J| y if and only if i>„ {E J| V). 

Proof Left-to right holds by straightforward structural induction on evaluation using in- 
troduction rules over sequents and prog clauses. The converse is a slightly more delicate 
complete induction on the height of the derivation, requiring some manual instantiations. 

□ 

The same remark applies also to hypothetical and parametric judgments, provided they 
are stratified (see the previously cited definition of applicative bisimulation). This suggests 
that we can, in this case, take a different approach from McDowell & Miller's architec- 
ture [69] and opt to delegate to the OL level only those judgments, such as typing, that 
would not be inductive at the meta-level. This has the benefit of limiting the indirectness of 
using an explicit SL. Moreover, it has the further advantage of replacing complete induc- 
tion with structural induction, which is better behaved from a proof-search point of view. 
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Complete induction, in fact, places an additional burden on the user by requiring him/her 
to provide the correct instantiation for the height of the derivation in question, so that the 
inductive hypothesis can be fired. While this is not an intellectual issue, it often limits the 
possibility of a complete, i.e., without user intervention, mechanization of a proof via the 
automatic tools provided by the proof assistant. 

As it turns out, this approach is again reminiscent of a fairly old idea from the theory 
of logic programming, namely the amalgamation of object and meta-language as initially 
suggested in [15], where clauses can be written interspersing ordinary Prolog predicates 
with calls to a specific meta-interpreter of the demo sort. This clearly also pertains to goals, 
i.e., in our setting, theorems: subject reduction at the meta-level (i.e., amalgamated subject 
reduction) has the form: 

MC-Theorem 26 (meta_subject_reduction) 

E i}.V =^W. {r> {E : T)) ^ {r> {V : T)) 

Proof The proof is similar but slightly simpler than the proof of MC-Theorem 24. Instead of 
complete induction, we proceed by structural induction on the evaluation judgment, which 
breaks the proof into three cases. We again consider the application case: 

I IHi; IH2; IH3; ahstrE[; {E^ i}.funx.E[ x); (£2J]-V2); 

{{E[ V2)i}.vy, > {{El @ E2) : r) ]] ^ o (V : r) 

where I Hi , IH2, and IHt, are the following three induction hypotheses: 

IHi : MT. i> (£1 : r) =4> > ((fun.t.£| x) : T) 
IH2 : Vr. > {E2:T)=>1> {V2 : T) 
IH3 : W.O {{E[V2):T)=^>{V:T) 

This subgoal corresponds to subgoal (2) in the proof of MC-Theorem 24, with several dif- 
ferences. For instance, subgoal (2) was obtained by an application of complete induction 
followed by inversion on the OL and SL, while the above subgoal is a direct result of apply- 
ing structural induction. Also, although both subgoals have three evaluation premises, in (2) 
they are inside conjunction at the SL level. Finally, the general induction hypothesis IH on 
natural numbers in (2) is replaced by three induction hypotheses here, generated from the 
premises of the meta-level definition of the evaluation rule for application. The remaining 
steps of the proof of this case are essentially the same as the steps for MC-Theorem 24. 
Inversion on the typing judgment is used exactly as before since in both proofs, typing is 
expressed via the SL. Also, the three induction hypotheses in this proof are used to reach 
the same conclusions as were obtained using the single induction hypothesis three times in 
the previous proof. □ 

Now that we have seen some proofs of properties of OLs, we can ask what the minimal 
set of theorems and tactics is that the two-level architecture needs from Hybrid. The answer 
is: very little. Essentially all we need is the quasi-freeness properties of the Hybrid type, 
which are inherited from the OL: 

- clash rules to rule out impossible cases in elimination rules; 

- injectivity facts, all going back to abstrjamjimp to simplify equations of the form 
lambda E = lambda F for second-order functions E and F; 

- an abstraction solver.^-' 



Again, this is not needed anymore in a newer version of Isabelle/HOL and of our package [80]. 
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The reader may find in [77] other examples, such as the verification of properties of 
compilation, of encoding OLs using inductive predicates (types) at the meta-level for all 
stratifiable object-level judgments. However, this style of reasoning is viable only when 
there is a substantial coincidence between the meta-logical properties of the SL and the 
ambient (meta-) logic. Were such properties to clash with an encoding that could benefit 
from being driven by a more exotic logic, then all OL predicates will have to be embedded 
as prog clauses. This, it may be argued, is a relatively small price to pay for the possibility of 
adopting an SL that better fits the logical peculiarities of interesting OLs, as we investigate 
next. 



5 Ordered Linear Logic as a Specification Logic 

In this section we aim to show the flexibility of the two-level architecture by changing SL 
in order to have a better match with the encoding on hand; the case-study we consider here 
is the operational semantics of a continuation-based abstract machine, where evaluation is 
sequentialized: an instruction is executed in the context of a continuation describing the rest 
of the computation and eventually returning an answer. We will adopt an ordered logical 
framework (OLF) [96]. The general methodology consists of refining a logical framework 
in a conservative way, so as to capture different object-level phenomena at the right level 
of abstraction. Conservativity here guarantees that if a new feature (such as order) is not 
required, it does not interfere with the original system. 

Although frameworks based on intuitionistic logic have been fairly fruitful, it so hap- 
pens that the structural properties of the framework, namely weakening, contraction and 
exchange, are inherited by the object-level encodings. We have argued that one of the keys 
to the success of an encoding lies in the ability of specifying judgments "in-a-context" ex- 
ploiting the context of the SL itself; however those properties may not always be appropriate 
for every domain we want to investigate. Another case in point is the meta-theory of lan- 
guages with imperative features, where the notion of (updatable) state is paramount. It has 
been frequently observed that an elegant representation of the store may rely on a volatile 
notion of context. Linear logic is then the natural choice, since it offers a notion of context 
where each assumption must be used exactly once; a declarative encoding of store update 
can be obtained via linear operations that, by accessing the context, consume the old assump- 
tion and insert the new one. This is one of the motivations for proposing frameworks based 
on linear logics (see [74] for an overview) such as Lolli [54], Forum [73], and LLF [20], a 
conservative extension of LF with multiplicative implication, additive conjunction, and unit. 
Yet, at the time of writing this article, work on the automation of reasoning in such frame- 
works is still in its infancy [67] and may take other directions, such as hybrid logics [102]. 
The literature offers only a few formalized meta-theoretical investigations with linear logic 
as a framework, an impressive one being the elegant encoding of type preservation of Mini- 
ML with references (MLR) in LLF [20]. However, none of them comes with anything like 
a formal certification of correctness that would make people believe they are in the pres- 
ence of a proof. Encoding in LLF lacks an analogue of Twelf 's totality checker. Moreover 
this effort may be reserved to LLF's extension, the Concurrent Logical Framework [115]. A 
FOA^^proof of a similar result is claimed in [69], but not only the proof is not available, 
but it has been implemented with Eriksson's Pi, a proof checker [34] for the theory of partial 
inductive definitions, another software system that seems not to be available anymore. 

This alone would more than justify the use of a fragment of linear logic as an SL on 
top of Hybrid, whose foundation, we have argued, is not under discussion. However, we 
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want to go beyond the logic of state, towards a logic of order. In fact, a continuation-based 
abstract machine follows an order, viz. a stack-like discipline; were we able to also inter- 
nalize this notion, we would be able to simplify the presentation, and hence, the verification 
of properties of the continuation itself, taking an additional step on the declarative ladder. 
Our contribution here to the semantics of continuation machines is, somewhat paradoxi- 
cally, to dispose of the notion of continuation itself via internalization in an ordered context, 
in analogy with how the notion of state is realized in the linear context. In particular, the 
ordered context is used to encode directly the stack of continuations to be evaluated, rather 
than building an explicit stack-like structure to represent a continuation. While this is the- 
oretically non-problematic, it introduces entities that are foreign to the mathematics of the 
problem and which bring their own numerous, albeit trivial, proof obligations.^'* Further and 
more importantly, machine states can be mapped not into OL data, but OL provability. 



Ordered (formerly known as non-commutative) linear logic [98] combines reasoning 
with unrestricted, linear and ordered hypotheses. Unrestricted (i.e., intuitionistic) hypothe- 
ses may be used arbitrarily often, or not at all regardless of the order in which they were 
assumed. Linear hypotheses must be used exactly once, also without regard to the order of 
their assumption. Ordered hypotheses must be used exactly once, subject to the order in 
which they are assumed. 



This additional expressive power allows the logic to handle directly the notion of stack. 
Stacks of course are ubiquitous in computer science and in particular when dealing with 
abstract and virtual machines. OLF has been previously applied to the meta-theory of pro- 
gramming languages, but only in paper and pencil proofs: Polakow and Pfenning [99] have 
used OLF to formally show that terms resulting from a CPS translation obey "stackability" 
and linearity properties [30]. Polakow and Yi [100] later extended these techniques to lan- 
guages with exceptions. Remarkably, the formalization in OLF provides a simple proof of 
what is usually demonstrated via more complex means, i.e., an argument by logical relations. 
Polakow [96] has also investigated proof-search and defined a first-order logic programming 
language with ordered hypotheses, called Olli, based on the paradigm of abstract logic pro- 
gramming and uniform proofs, from which we draw inspiration for our ordered SL, i.e., a 
second-order minimal ordered linear sequent calculus. 



We exemplify this approach by implementing a fragment of Polakow's ordered logic 
as an SL and test it with a proof of type preservation of a continuation machine for Mini- 
ML, as we sketched in [81]. For the sake of presentation we shall deal with a call-by-name 
operational semantics. It would not have been be unreasonable to use MLR as a test case, 
where all the three different contexts would play a part. However, linearity has already been 
thoroughly studied, while we wish to analyze ordered assumptions in isolation, and for that 
aim, a basic continuation machine will suffice (but see [65] for a thorough investigation of 
the full case). Further, although the SL implementation handles all of second-order Olli and 
in particular proves cut-elimination for the whole calculus, we will omit references to the 
(unordered) linear context and linear implication, as well as to the ordered left implication, 
since they do not play any role in this case-study. 
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Fig. 8 Sequent rules for OUi^ 



5.1 Encoding the Specification Logic 

We call our specification logic Olli^ , as it corresponds to the aforementioned fragment of 
Olli, where '-»' denotes right-ordered implication. We follow [81] again in representing the 
syntax as: 

Goals G::=A|A^G|A^G|GiAG2|T| Vx. G 
Clauses P ::= V(A ^ [Gi , . . . , G„,] | [G'j , . . . , G'„]) 

The body of a clause V(A < — [Gi , . . . , Gm] \ \G\ , . . . , Gj,] ) consists of two lists, the first one of 
intuitionistic goals, the other of ordered ones. It represents the "logical compilation" of the 
formula V(G,„ Gi ^ Gj, -»...-» Gj -»A). We choose this compilation to emphasize 

that if one views the calculus as a non-deterministic logic programming interpreter, the latter 
would solve subgoals from innermost to outermost. Note also that this notion of clause 
makes additive conjunction useless, although we allow it in goals for a matter of style and 
consistency with the previous sections. 
Our sequents have the form: 

r;Q. — >n G 

where TI contains the program clauses, which are unrestricted {i.e., they can be used an 
arbitrary number of times), F contains unrestricted atoms, Q contains ordered atoms and 
G is the formula to be derived. Contexts are lists of hypotheses, where we overload the 
comma to denote adjoining an element to a list at both ends. To simplify matters further, 
we leave eigenvariable signatures implicit. One may think of the two contexts as one big 

^'^ This is not meant to say that intuitionistic meta-logic, (full) HOAS and list-based techniques cannot cope 
with mutable data: in fact, significant case studies have been tackled: for example, Crary and Sarkar's proof 
of soundness for foundational certified code in typed assembly language for the x86 architecture [27] as well 
the more recent attempt by Lee et al. [61] to verify an internal language for full SML. 
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context where the ordered hypotheses are in a fixed relative order, while the intuitionistic 
ones may float, copy or delete themselves. The calculus is depicted in Figure 8. Again in this 
fragment of the logic, implications have only atomic antecedents. There are obviously two 
implication introduction rules, where in rule -»r the antecedent A is appended to the right 
of Q, while in the other rule we have (A,F), but it could have been the other way around, 
since here the order does not matter. Then, we have all the other usual right sequent rules 
to break down the goal and they all behave additively. Note how the Tr rule can be used in 
discharging any unused ordered assumptions. For atomic goals there are two initial sequent 
rules, for the leaves of the derivation: init^j enforces linearity requiring 12 to be a singleton 
list, while initr demands that all ordered assumptions have been consumed. Additionally, 
there is a single backchaining rule that simultaneously chooses a program formula to focus 
uponand derives all the ensuing subgoals; rule (be) is applied provided there is an instance 
A i — [Gi . . . Gm] I [G'j . . . G',] of a clause in the program TI. Note that the rule assumes that 
every program clause must be placed to the left of the ordered context. This assumption is 
valid for our fragment of the logic because it only contains right ordered implications (-») 
and the ordered context is restricted to atomic formulas. Furthermore, the ordering of the 12, 
in the conclusion of the rule is forced by our compilation of the program clauses. We leave 
to the keen reader the task to connect formally our backchain rule to the focused uniform 
proof system of op. cit. [96]. 

We encode this logical language extending the datatype from Section 4.1 with right 
implication, where again outermost universal quantifiers will be left implicit in clauses. 

datatype oo = ■■ ■ \ atm -» oo 

Our encoding of the Olli^ sequent calculus uses three mutually inductive definitions, 
motivated by the compilation of the body of clauses into additive and multiplicative lists:^^ 

r \ Q >„ G :: [atm list, atm list,nat,oo\ bool 

goal G has an ordered linear derivation from F and Q of height n 
r >-nGs :: [atm list,nat,oo list] bool 

list of goals Gs is additively provable from F etc. 
F I 12 ►„ Gs :: [atm list, atm list,nat,oo list] bool 

list of goals Gs is multiplicatively consumable given F and Q etc. 

The rendering of the first judgment is completely unsurprising,-^ except, perhaps, for the 
backchain rule, which calls the list predicates required to recur on the body of a clause: 

[[ (A ^ I 4) ; F 1 12 ►„ Ol ; F ►„ 4 ]] ^ F 1 12 >„+i (A) 

The notation A i — Ol \ II corresponds to the inductive definition of a set prog this time of 
type [atm, oo list, oo list] ^ bool, see Figure 12. Backchaining uses the two list judgments to 
encode, as we anticipated, execution of the (compiled) body of the focused clause. Intuition- 
istic list provability is just an additive recursion through the list of intuitionistic subgoals: 

^r^„[] 

[[F I [ ] >„ G ; F ►„ Gi ]] =^ F {G,Gs) 



' Note that F could have easily been a set, as in Section 4. 

As a further simplification, the encoding of the Vr rale will not introduce the proper assumption, but the 
reader should keep in mind the fact that morally every eigenvariable is indeed proper. 
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Ordered list consumption involves an analogous recursion, but it behaves multiplicatively 
w.r.t. the ordered context. Reading the rule bottom up, the current ordered context Q is non- 
deterministically split into two ordered parts, one for the head Qc md one Qr for the rest 
of the list of subgoals. 



Therefore the judgment relies on the inductive definition of a predicate for order- 
preserving splitting of a context. This corresponds to the usual logic programming predicate 
append{QR, ^) called with mode append {—,—,+). 



The rest of the sequent rules are encoded similarly to the previous SL (Figure 5) and the 
details are here omitted (and left to the web appendix of the paper, see hybrid . dsi . unimi . 
it/ jar). Again we define F 1 12 i> G iff there exists an n such that F \ Q\>„G and simply 
l> G iff [ ] I [ ] l> G. Similarly for the other judgments. 

MC-Theorem 27 (Structural Rules) The following rules are admissible: 

— Weakening for numerical bounds: 

1. [[r \ n >„G; n < m]] => r \ n \>,„ G 

2. l[r\n ►„ Gs;n<m]\=^r\n *■„, Gs 

3. [[ r ►„ Gs; n <m]] =^ F >■„, Gs. 

— Context weakening, where {set F) denotes the set underlying the context P. 

1. i[r\n\>G; set reset r'i=>r'\ no>G 

2. i F I 12 ► Gs; set F C ief F' ]] =l> F' | 12 ► Gs 

3. [[ F ► Gs; set F C jef F' ]] ^ F' ► Gs. 

— Intuitionistic atomic cut: 

1. [[ F 1 12 G; set F = set (A,F'); F' | [ ] c>j (A) ]] ^ F' 1 12 [>,-+j G. 

2. [[ F 1 12 Gs; set F = set {AT'); F' | [ ] >; (A) ]] =^ F' | 12 Gs. 

3. i F Gs; set F = jer (A, F') ; F' | [ ] i>j (A) ]] =4> F' ►z+j Gs. 

Proof All the proofs are by mutual structural induction on the three sequents judgments. 
For the two forms of weakening, all it takes is a call to Isabelle/HOL's classical reasoner. 
Cut requires a little care in the implicational cases, but nevertheless it does not involve more 
then two dozens instructions. □ 

Although the sequent calculus in [96] enjoys other forms of cut-elimination, the follow- 
ing: 

MC-Corollary 28 (seq.cut) 




I osplit Q. Qr Qc\r \ nG>nG; 
=^F|i2»-„+i {G,Gs) 



r\ilR*^„Gs]] 



osplit D.\ Q.2 Q.}, 



osplit 12 [ ] 12 

osplit (A,i2i) (A, 122) 123 



[[A,F|i2[>G;Fc>(A)]] 



F 1 12 oG 



is enough for the sake of the type preservation proof (MC-Theorem 32). Further, admissi- 
bility of contraction and exchange for the intuitionistic context is a consequence of context 
weakening. 
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stjnit : 


ink o return V ^ answer v 


sLreturn : 


A'; A .Y. (■ return i> ^ Koi[v/x] 


st_fun : 


K oty (funj:. e) '-^ K o return (funj:. e) 


st_flx : 


K o ey(&ix. e) ^ K o e\ (e[lixx. e/x]) 


st_app : 


Koey{e[ » ei) ^ ^f; A ,vi .app[ ,vi £2 * 


sLappi : 


K appi (fun.v. e)e2 ^ K eve[e2/jr] 



Fig. 9 Transition rules for machine states 

5.2 A Continuation Machine and its Operational Semantics 

We avail ourselves of the continuation machine for Mini-ML formulated in [91] (Chapters 
6.5 and 6.6), which we refer to for motivation and additional details. We use the same lan- 
guage and we repeat it here for convenience: 

Types T ::= / 1 T — )■ t' 
Expressions e ::= x | funx. e \ ei • 62] flxx.e 

The main judgment s ^ s' (Figure 9) describes how the state of the machine evolves 
into a successor state s' in a small-step style. The machine selects an expression to be ex- 
ecuted and a continuation K, which contains all the information required to carry on the 
execution. To achieve this we use the notion of instruction, e.g., an intermediate command 
that links an expression to its value. The continuation is either empty (init) or it has the form 
of a stack {K;Xx.i), each item of which (but the top) is & function from values to instruc- 
tions. Instruction (ev e) starts the first step of the computation, while (return v) tells the 
current continuation to apply to the top element on the continuation stack the newly found 
value. Other instructions sequentialize the evaluation of subexpressions of constructs with 
more than one argument; in our language, in the case of application, the second argument is 
postponed until the first is evaluated completely. This yields the following categories for the 
syntax of the machine: 

Instructions / ::= eve | return v | appi vi e2 
Continuations K . hat \K,Xx.i 
Machine States s ::= K o i \ answer v 

The formulation of the subject reduction property of this machine follows the statement 
in [20], although we consider sequences of transitions by taking the reflexive-transitive clo- 
sure ^* of the small-step relation, and a top level initialization rale cev (Figure 10). Of 
course, we need to add typing judgments for the new syntactic categories, namely instruc- 
tions, continuations and states. These can be found in Figure 11, whereas we refer the reader 
to Figure 2 as far as typing of expressions goes. 

Theorem 29 K o i ^* answer v and F h; ; : Ti and : Ti — >■ T2 implies • v : T2. 
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- stop step 



init o eve ^* answerv 



Fig. 10 Top level transition rules 



Proof By induction on the length of the execution path using inversion properties of the 
typing judgments. □ 

Corollary 30 (Subject Reduction) e A v and ■ h^, e : t entails h^. v : T. 

As a matter of fact we could have obtained the same result by showing the soundness 
of the operational semantics of the continuation machine w.r.t. big step evaluation, viz. that 
e V entails e ^ v (see Theorem 6.25 in [91]) and then appealing to type preservation of the 
latter. That would be another interesting case study: the equivalence of the two operational 
semantics (thoroughly investigated by Pfenning in Chapter 6 op. cit. but in the intuitionistic 
setting of LF), to gauge what the "Olli" approach would buy us. 



5.3 Encoding the Object Logic 

We now show how to write the operational semantics of the continuation machine as an Olli 
program, or more precisely as Olli^ OL clauses. Rather than representing the continuation 



r e : T r V : T 

of Ley of /.return 

r h, ev e : T F h, return v : T 

r h(, ei : t' ^ T r e2 : t' 

o//.app I 

r h, app[ exei'.t 



- — — ofKjmt o/A-.cont 



h,- ! : Ti hyf AT : Ti -> T2 v : T 

- o /.v_o o/i_answer 



hj K o i: t2 I".! answeri' : T 



Fig. 11 Typing rules for the continuation machine 
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K an explicit stack, we will simply store instructions in the ordered context. This is partic- 
ularly striking as we map machine states not into OL data, but OL provability. In particular 
we will use the following representation to encode machine states: 

Koi []\^K^t>{ex '"r) 

where ^K'^ is the representation, described below, of the continuation (stack) K and '"/^ the 
obvious representation of the instruction.^^ In fact, if we retain the usual abbreviation 

uexp = con expr 

the encoding of instructions can be simply realized with an Isabelle/HOL datatype, whose 
adequacy is standard: 

datatype instr = ev uexp \ return uexp \ appi uexp uexp 

To describe the encoding of continuations, we use our datatype atm, which describes the 
atomic formulas of the OL. This time, it is more interesting and consists of: 

datatype atm = ceval uexp uexp \ ex instr | init uexp 
I cont [uexp => instr) \ uexp : tp 
I ofl instr tp \ ofK tp 

We have atoms to describe the initial continuation "init " of type uexp => atm, the continu- 
ation that simply returns its value. Otherwise K is an ordered context of atoms "cont K" of 
type [uexp => instr) => atm. The top level of evaluation (ceval '"e^ '"v^) unfolds to the initial 
goal init '"v^ -» ex (ev ^e'^); our program will evaluate the expression ^e^ and instantiate 
'"v^ with the resulting value. In other words, we evaluate e with the initial continuation. The 
other instructions are treated as follows: the goal ex (return ^v^) means: pass v to the top 
continuation on the stack {i.e., the rightmost element in the ordered context): the instruction 
in the goal ex (appi '"vi^ ^e2^) sequentializes the evaluation of application. 
We have the following representations of machine states: 

init o return V [ ] | [init W] t> (ex (return '"v^)) 

where the logic variable W will be instantiated to the final answer; 

K;Xx.i o return v"N-» [ ] | [^K^.cont [Xx.^i^)) [> (ex (return '"v^)) 

where the ordering constraints force the proof of ex (return '"v^) to focus on the rightmost 
ordered formula. 

We can now give the clauses for the OL deductive systems in Figure 12, starting with 
typing. These judgments are intuitionistic, except typing of continuations. The judgments 
for expressions and instructions directly encode the corresponding judgments and derivation 
rules. The judgments for continuations differ from their analogs in Figure 1 1 in that there 
is no explicit continuation to type; instead, the continuation to be typed is in the ordered 
context. Thus, these judgments must first get a continuation from the ordered context and 
then proceed to type it. 

The reader may be relieved to learn that, at this late stage of the paper, we will be much more infor- 
mal with the issue of the adequacy of this encoding, mainly trying to convey the general intuition. This is 
also notationally signaled by dropping the somewhat heavy notation e. (■) for the lighter It is likely that 
the faithfulness of our representation could be obtained following the approach in [20] — see in particular 
Theorem 3 .4 ibid. 
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Inductive _ < — _ | _ :: [atm,oo Us1,oo list] hool 

=^ (El @E2):T^[]\ [(Er.{T' ^T)),{E2:T')] 
[[abstr£]] =^ {funx.E x) -.{Ti ^ T2) i — [ ] | [allx. (x: Ti ) imp {(£ x) : T2)] 
[[abstr£]] =^ {fixx.E x):{T) < — [] | [a\\x.{x:T) imp {{E (fixx.E x):T)] 
^ of\{^vE)T^l]\l{E:T)] 
=^ ofl (return V)T < — [ ] | [(V : T)] 
=^ ofl (appi V£) [] I [{V:(T2^T)),{E:T2)] 

=^ ofK (r^T)^ [(initV)] I [] 
=^ ofK (ri ^ T2) < — [(cont a:), (ofK T T2)] 

[all;c.(;c:ri) imp (ofl {K x) T)] 

=^ ceval EV < — [initV ^ ex (ev £)] | [ ] 

=^ ex (return V) i — [(init V)]\[] 
[[abstr^]] =^ ex (return V) i — [(cont /f), (ex {K V))] \ [] 
[[abstr£]] =^ ex (ev (fun£)) < — [(ex (return (funE)))] | [] 

ex (ev (£1 @ £2)) < — [cont (Av. appi v E2)^{ex (ev£i))] [ [ 
[[ abstr £ ]] ^ ex (appi (fun £) £2) ^ [(ex (ev (£ £2)))] [ [ ] 



Fig. 12 Hybrid's encoding of the OL deductive systems of the continuation machine 



The evaluation clauses of the program fully take advantage of ordered contexts. The first 
one corresponds to the cev rule. The rest directly mirror the machine transition rules. 

A sample derivation is probably in order and so it follows as MC-Lemma 31. Note 
that as far as examples of evaluations go, this is not far away from total triviality, being 
the evaluation of something which is already a value. However, our intention here is not 
to illustrate the sequentialization of evaluation steps typical of a continuation machine (for 
which we refer again to [91]); rather we aim to emphasize the role of the ordered context, in 
particular the effect of non-deterministic splitting on the complexity of proof search. 

MC-Lemma 31 3V. > (ceval (fun. t.x) V) 

Proof After introducing the logic variable IV (here we pay no attention to the height of the 
derivation) we apply rule be, i.e., backchaining, obtaining the following 3 goals: 

1. ceval (fun. t.x) IV i — [init ?V ^ ex (ev (funx.x))] | [ ] 

2. []][]► [init ?y ^ ex (ev {funx.x))] 

3. []-[] 

Goals such as the third one (the base case of intuitionistic list evaluation) will always arise 
when back-chaining on evaluation, as the intuitionistic context plays no role, i.e., it is empty; 
since they are trivially true, they will be resolved away without any further mention. So we 
have retrieved the body of the relevant clause and passed it to ordered list evaluation: 



[][[]► [init ?y^ex (ev (funx..«))] 
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This leads to splitting the ordered context, i.e., 

1. osplit [ ] Og Or 

2. []\Og\>\n\t (ex (ev (funx.x))) 

3. [] I Or*^[] 

In this case, ordered splitting is deterministic as it can only match the base case and the two 
resulting contexts Og and Or are both set to empty: 

[ ] I [ ] > init ?V (ex (ev (funx.x))) 
The introduction rule for ordered implication (and simplification) puts the goal in the form: 

[ ] I [init W] t> (ex (ev (funx.x))) 

which corresponds to the execution of the identity function with the initial continuation. 
Another backchain yields: 

1. abstr {?LX. x) 

2. osplit [init ?y] Ogi Ori 

3. [ ] I Ogi t> (ex (return {funx.x))} 

As usual, abstr_tac takes care of the first goal, while now we encounter the first interesting 
splitting case. To be able to solve the goal by assumption in the SL, we need to pass the 
(singleton) context to the left context Ogi . One way to achieve this is to gently push the 
system by proving the simple lemma 3A. osplit [A] [A] [ ]. Using the latter as an introduction 
rule for subgoal 2, we get: 

[ ] I [init ?y] [> (ex (return (funjc.jc))) 

More backchaining yields: 

[] I [init ?y]^[(init {funx.x))] 
and with another similar ordered split to the left we have 

[] I [init ?y] > (init {funx.x)) 
which is true by the init^^ rule. This concludes the derivation, instantiating IV with funx.x. 

a 

If we collect in sig_def all the definitions pertaining to the signature in question and 
bundle up in olli_intrs all the introduction rules for the sequent calculus, (ordered) split- 
ting and the program database: 

f ast_tac(claset() addls olli_intrs 

(simpsetO addSolver (abstr_solver sig_defs))); 

the above tactic will automatically and very quickly prove the above lemma, by backtrack- 
ing on all the possible ordered splittings, which are, in the present case, preciously few. 
However, this will not be the case for practically any other goal evaluation, since split- 
ting is highly non-deterministic in so far as all the possible partitions of the contexts need 
to be considered. To remedy this, we could encode a variant of the input-output sequent 
calculus described in [96] and further refined in [97], which describes efficient resource 
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management — and hence search — in linear logic programming. Then, it would be a matter 
of showing it equivalent to the base calculus, which may be far from trivial. In the end, our 
system will do fine for its aim, i.e., investigation of the meta-theoretic properties of our case 
study. 

The example may have shed some light about this peculiarity: the operational semantics 
of the continuation machine is small-step; a sequence of transitions are connected (via rules 
for its reflexive transitive closure) to compute a value, whereas our implementation looks at 
first sight big-step, or, at least, shows no sign of transitive closure. In fact, informally, for 
every transition that a machine makes from some state s, to , there is a bijective function 
that maps the derivation of '".y,^, i.e., the sequent encoding s, to the derivation of 
The OUi^ interpreter essentially simulates the informal trace of the machine obtained by 
transitive closure of each step K o i ^ s' for some s' with a tree of attempts to establish 
[ ] I '^K^ > Ci^) by appropriate usage of the available ordered resources (the rest of '^K"'). 
In the above example, the paper and pencil proof is a tree with cev at the root, linked by 
the step rule to the st_fun and stJnit axioms. This corresponds to the OUil, proof we have 
described, whose skeleton consists of the statement of the lemma as root and ending with 
the axiom init^ . 

[ ] I [init ?y] f> (ex (ev (funx.x))) 

[ ] I [init ?y] l> (ex (return (fun.«. jc))) ~> 
[] I [init ?y] t> (init (funx.jc)) 

Now we can address the meta-theory, namely the subject reduction theorem: 
MC-Theorem 32 (sub_red_aux) 

[] I (init V, 12) l>;(ex/) =^ 

vrir2.c>(ofi/ri) — > 

([] I (initV,I2)o(ofK (ri ^Tz))) >{V:T2)) 

The proof of subject reduction again follows from first principles and does not need any 
weakening or substitution lemmas. The proof and proof scripts are considerably more man- 
ageable if we first establish some simple facts about typing of various syntax categories and 
instruct the system to aggressively apply every deterministic splitting, e.g., 

[[osplit[] Og Or, [[Og=[]; Or =[]]]=^ P]]=^ P 

as well as a number of elimination rules stating the impossibility of some inversions such as 

[[ cont Ki — 0/ I //]]=> P 

The human intervention that is required is limited to providing the correct splitting of the 
ordered hypotheses and selecting the correct instantiations of the heights of sub-derivations 
in order to apply the IH. 

Proof The proof is by complete induction on the height of the derivation of the premise. 
The inductive hypothesis is: 

Vm. m < n — > 

[yiv n. 

[] I (inity,i2)l> (ex/) — y 
Wi 72. 

[]>(ofl/7'i) A 

(inity,i2)i>(ofK Ti -^T2) — ^ > (V-.Tz)) 
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Not only we will omit the IH in the following, but we will also gloss over the actual height 
of the derivations, hoping that the reader will trust Isabelle/HOL to apply the IH correctly. 
We remark that in contexts we overload the comma to denote adjoining an element to a list 
at both ends. 

We begin by inverting on [ ] | (init V,Q) > (ex /) and then on the prog clauses defin- 
ing execution, yielding several goals, one for each evaluation clause. The statement for the 
st_return case is as follows: 

[[...; abstr^:; 

[] I []>(ofl (return V) Ti); 
[]|(inity,X2)t>(ofKri^r2); 
[] |(initV,i2)»-[(ex {K V')) , {cont K)]} 
=^ f>{V:T2) 

We start by applying the typing lemma: 

[ ] I [ ] t> (ofl (return V) T) =^ t> (ofl V T) 

Inverting of the derivation of [ ] | init y,i2 ► [(ex [K V')), (cont K)] yields: 

[[...; osplit (init V, 12) Og [cont/sT]; 
[]\Og\>{exKV')- 

[]\\>{V-%)]] 
=^ >{V:T2) 

Now, there is only one viable splitting of the first premise, where 
/\L. [[ osplit Q L [cont K]; Og = (init V,L) ]] => P, as the impossibility of the first 
one, entailing cont K = init V, is ruled out by the freeness properties of the encoding of 
atomic formulas. This results in 

[[...;[][ (inity,L)i> (ex/sTV); 

[] I (inity,i2)i>(ofK Ti ^To); 

osplit Q. L [cont K] ]] 

=^ C>(y:72) 

We now use the reading of ordered split as "reversed" append to force Q. to be the concate- 
nation of L and [cont K], denoted here as in the SL logic, e.g. (L, cont K): 

[[...;[][ (inity,L)i>(ex/iry'); 

[ ] I (init y,L. cont K) > (ofK ^ Jj); 

[]\[>{y-'Tx)]] 

=4> > {V-.To) 
we now invert on the typing of continuation: 

[[...; [] I []*.[allv.v:7'i imp (ofl {K' v) T)]\ 

[]|[]>(v:'ri); 

[] I (init y,L,cont7i:)^[(ofKr-> 72), (cent /s:')]; 
[] I (init y,L)[> (ex [KV'))'^ 
=^ >{V:T2) 
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The informal proof would require an application of the substitution lemma. Instead here we 
use cut to infer: 

[]|[]>(ofi(^:'y') T) 

We first have to invert on the hypothetical statement all v. v : 7i imp (ofl {K' v) T) and instan- 
tiate V with y': 

[[•■•; \]\\]>{y-'Ti); 

[] I (inity,L)c>(ex [KV')); 

[] I (inity,L,cont^:)^[(ofK7'^r2),(cont^')]; 

[y:'ri]|[]>(ofi {K'V) m 

=^ >{V:T2) 

Now one more inversion on [ ] | (init y,L, cont K) ► [(ofK T — > T2), (cont K')\ brings us to 
split osplit (init V,L,contK) Og [cont^fiT'] so that (init V,L) = Og snd K = K': 

[[•■•; []\[]>{v:'T,); 

[] I (inity,L)>(ex(^'y')>; 

[]|[]>(ofi(ry') r); 

[] I (init y,L)>(ofKr^ 72)1 
=^ >{V:T2) 

This final sequent follows from complete induction for height i. □ 
MC-CoroUary 33 (subject_reduction) [[ i> ceval EV; > E:T'^=^ \>V -.T 

6 Related Work 

There is nowadays extensive literature on approaches to representing and reasoning about 
what we have called "object logics," where the notion of variable bindings is paramount. 
These approaches are supported by implementations in the form of proof checkers, proof 
assistants and theorem provers. We will compare our approach to others according to two 
categories: whether the system uses different levels for different forms of reasoning and 
whether it is relational {i.e., related to proof search) or functional (based on evaluation). 

6. 1 Two-level, Relational Approaches 

Our work started as a way of porting most of the ideas of FOX^^ [69] into the mainstream of 
current proof assistants, so that they can enjoy the facilities and support that such assistants 
provide. As mentioned in the introduction, Isabelle/HOL or Coq plays the role of FOX^^ , 
the introduction/elimination rules of inductive definitions (types) simulate the defR and defL 
rules of PIDs and the Hybrid meta-language provides FOA^'^'s A-calculus. In addition, 
our approach went beyond FOA^*^, featuring meta-level induction and co-induction, which 
were later proved consistent with the theory of (partial) inductive definitions [82]. These 
features are now standard in FOA^'^'s successor. Line [109]. 

One of the more crucial advances given by Lz«c-like logic lies in the treatment of induc- 
tion over open terms, offered by the proof-theory of [76, 109]. The latter has been recently 
modified [110] to simplify the theory of V-quantification by removing local contexts of V- 
bounded variables so as to enjoy properties closer to the fresh quantifier of nominal logic. 
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such as strengthening and permutation (see later in this section). Finally the 'S logic [43] 
brings fully together PIDs and V-quantification by allowing the latter to occur in the head of 
definitions. This gives excellent new expressive power, allowing for example to define the 
notion of freshness. Furthermore it eases induction over open terms and even gives a logical 
reading to the notion of "regular worlds" that are crucial in the meta-theory of Twelf. 

Recently, Line-like meta-logics and the two-level approach have received a new imple- 
mentation from first principles. Firstly, Bedwyr [7] is a model-checker of higher-order speci- 
fications, based on a logic programming interpretation of V-quantification and case analysis. 
Coinductive reasoning is achieved via tabling, although no formal justification of the latter 
is given. Typical applications are in process calculi, such as bisimilarity in ;r-calculus. The 
already cited Abella [42] is emerging a real contender in this category: it implements a large 
part of the 1^ logic and sports a significant library of theories, including an elegant proof 
of the PoplMark challenge [6] as well as a proof of strong normalization by logical re- 
lations [44], an issue which has been contentious in the theorem proving world. This proof 
is based on a notion of arbitrarily cascading substitutions, which shares with nominal logic 
encodings the problem that once nominal constants have been introduced, the user often 
needs to spend some effort controlling their spread. In fact, there is currently some need to 
control occurrences of names in terms and thus to rely on "technical" lemmas that have no 
counterpart in the informal proof. This is not a problem of the prover itself, but it is induced 
by the nominal flavor that logics such as Line's successors LG^ and have introduced. 
More details can be found in [37]. 

The so far more established competitor in the two-level relational approach is 
Twelf [104]. Here, the LF type theory is used to encode OLs as judgments and to spec- 
ify meta-theorems as relations (type families) among them; a logic programming-like in- 
terpretation provides an operational semantics to those relations, so that an external check 
for totality (incorporating termination, well-modedness, coverage [92, 106]) verifies that the 
given relation is indeed a realizer for that theorem. In this sense the Twelf totality checker 
can be seen to work at a different level than the OL specifications. 

Hickey et al. [52] built a theory for two-level reasoning within the MetaPRL system, 
based on reflection. A HOAS representation is used at the level of reflected terms. A com- 
putationally equivalent de Bruijn representation is also defined. Principles of induction are 
automatically generated for a reflected theory, but it is stated that they are difficult to use 
interactively because of their size. In fact, there is little experience using the system for 
reasoning about OLs. 



6.2 Two-level, Functional Approaches 

There exists a second approach to reasoning in LF that is built on the idea of devising an 
explicit (meta-)meta-logic for reasoning (inductively) about the framework, in a fully auto- 
mated way [103]. can be seen as a constructive first-order inductive type theory, whose 
quantifiers range over possibly open LF objects over a signature. In this calculus it is pos- 
sible to express and inductively prove meta-logical properties of an OL. By the adequacy 
of the encoding, the proof of the existence of the appropriate LF object(s) guarantees the 
proof of the corresponding object-level property, .^g, can be also seen as a dependently- 
typed functional programming language, and as such it has been refined first into the Elphin 
programming language [107] and finally in Delphin [101]. ATS'"^ [29] is an instantiation 
of Xi's applied Type systems combining programming with proofs and can be used as a 
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logical framework. In a similar vein the contextual modal logic of Pientka, Pfenning and 
Naneski [83] provides a basis for a different foundation for programming with HOAS based 
on hereditary substitutions. This has been explicitly formulated as the programming lan- 
guage Beluga [93]. Because all of these systems are programming languages, we refrain 
from a deeper discussion. See [35] for a comparison of Twelf, Beluga, and Hybrid on some 
benchmark examples. 



6.3 One-level, Functional Approaches 

Modal A -calculi were formulated in the early attempts by Schiirmann, Despeyroux, and 
Pfenning [105] to develop a calculus that allows the combination of HOAS with a primitive 
recursion principle in the same framework, while preserving the adequacy of representa- 
tions. For every type A there is a type oA of closed objects of type A. In addition to the 
regular function type A =^ B, there is a more restricted type A ^ B = aA S of "paramet- 
ric" functions. Functions used as arguments for higher-order constructors are of this kind 
and thus roughly correspond to our notion of abstraction. The dependently-typed case is 
considered in [33] but the approach seems to have been abandoned in view of [83]. Wash- 
burn and Weirich [114] show how standard first-class polymorphism can be used instead 
of a special modal operator to restrict the function space to "parametric" functions. They 
encode and reason about higher-order iteration operators. 

We have mentioned earlier the work by Gordon and Melham [47, 48], which we used 
as a starting point for Hybrid. Building on this work, Norrish improves the recursion princi- 
ples [86], allowing greater flexibility in defining recursive functions on this syntax. 



6.4 Other One-Level Approaches 

Weak higher-order abstract syntax [32] is an approach that strives to co-exist with an 
inductive setting, where the positivity condition for datatypes and hypothetical judgments 
must be obeyed. In weak HOAS, the problem of negative occurrences in datatypes is han- 
dled by replacing them with a new type. For example, the fun constructor for Mini-ML 
introduced in Section 3 has type ( var uexp) => uexp, where var is a type of variables, 
isomorphic to natural numbers. Validity predicates are required to weed out exotic terms, 
stemming from case analysis on the var type, which at times is inconvenient. The approach 
is extended to hypothetical judgments by introducing distinct predicates for the negative oc- 
currences. Some axioms are needed to reason about hypothetical judgments, to mimic what 
is inferred by the cut rule in our architecture. Miculan et al.'s framework [25, 55, 72] em- 
braces an axiomatic approach to meta-reasoning with weak HOAS in an inductive setting. 
It has been used within Coq, extended with a "theory of contexts" (ToC), which includes 
a set of axioms parametric to an HOAS signature. The theory includes the reification of 
key properties of names akin to freshness. Exotic terms are avoided by taking the var to be 
a parameter and assuming axiomatically the relevant properties. Furthermore, higher-order 
induction and recursion schemata on expressions are also assumed. To date, the consistency 
with respect to a categorical semantics has been investigated for higher-order logic [16], 
rather than w.r.t. a (co)inductive dependent type theory such as the one underlying Coq [46]. 



For the record, the by now standard terminology "weak" HOAS was coined by the second author of the 
present paper in [78]. 
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From our perspective, ToC can be seen as a stepping stone towards Gabbay and Pitts 
nominal logic, which aims to be a foundation of programming and reasoning with names, 
in a one-level architecture. This framework started as a variant of the Frankel-Mostowski 
set theory based on permutations [39], but it is now presented as a first-order theory [94], 
which includes primitives for variable renaming and variable freshness, and a (derived) new 
"freshness" quantifier. Using this theory, it is possible to prove properties by structural in- 
duction and also to define functions by recursion over syntax [95]. The proof-theory of 
nominal logic has been thoroughly investigated in [21,40], and the latter also investigates 
the proof-theoretical relationships between the V and the "freshness" quantifier, by provid- 
ing a translation of the former to the latter. 

Gabbay has tried to implement nominal sets on top of Isabelle [41]. A better approach 
has turned out to be Urban et al.'s; namely to engineer a nominal datatype package inside 
Isabelle/HOL [85, 112] analogous to the standard datatype package but defining equivalence 
classes of term constructors. In more recent versions, principles of primitive recursion and 
strong induction have been added [111] and many case studies tackled successfully, such as 
proofs by logical relations (see [85] for more examples). The approach has also been com- 
pared in detail with de Bruijn syntax [13] and in hindsight owes to McKinna and Pollack's 
"nameless" syntax [70]. Nominal logic is beginning to make its way into Coq; see [4]. 

It is fair to say that while Urban's nominal package allows the implementation of infor- 
mal proofs obeying the Barendregt convention almost literally, a certain number of lemmas 
that the convention conveniently hides must still be proved w.r.t. the judgment involved; for 
example to choose afresh atom for an object x, one has to show that x has finite support, 
which may be tricky for x of functional type, notwithstanding the aid of general tactics im- 
plemented in the package. HOAS, instead, aims to make a-conversion disappear and tries 
to extract the abstract higher-order nature of calculi and proofs thereof, rather than follow 
line-by-line the informal development. On the other hand, it would be interesting to look at 
versions of the freshness quantifier at the SL level, especially for those applications where 
the behavior of the OL binder is not faithfully mirrored by HOAS, namely with the tra- 
ditional universal quantification at the SL-level; well known examples of this case include 
(mis)match in the ;r-calculus and closure-conversion in functional programming. 

Chlipala [23] recently introduced an alternate axiomatic approach to reasoning with 
weak HOAS. Object-level terms are identified as meta-terms belonging to an inductive type 
family, where the type of terms is parameterized by the type of variables. Exotic terms are 
ruled out by parametricity properties of these polymorphic types. Clever encodings of OLs 
are achieved by instantiating these type variables in different ways, allowing data to be 
recorded inside object-level variables (a technique borrowed from [114]). Example proofs 
developed with this technique include type preservation and semantic preservation of pro- 
gram transformations on functional programming languages. 

6.5 Hybrid Variants 

Some of our own related work has involved alternative versions of Hybrid as well as im- 
provements to Hybrid, which we describe here. 

Constructive Hybrid. A constructive version of Hybrid implemented in Coq [18] provides 
an alternative that could also serve as the basis for a two-level architecture. This version pro- 
vides a new approach to defining induction and non-dependent recursion principles aimed at 
simplifying reasoning about OLs. In contrast to [107], where built-in primitives are provided 
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for the reduction equations for the higher-order case, the recursion principle is defined on 
top of the base de Bruijn encoding, and the reduction equations proved as lemmas. 

In order to define induction and recursion principles for particular OLs, terms of type 
expr are paired with proofs showing that they are in a form that can represent an object-level 
term. A dependent type is used to store such pairs; here we omit the details and just call it 
expr' , and sometimes oversimplify and equate expr' with expr. For terms of Mini-ML for 
example, in addition to free variables and bound variables, terms of the forms (CON cAPP $ 
Ex $ £2), (CON cABS $ LkUx.E x) and (CON cFIX $ LkWx.E x), which correspond to 
the bodies of the definitions of @, fun, and fix, are the only ones that can be paired with 
such a proof. Analogues of the definitions for constructing object-level terms of type expr 
are defined for type expr' . For example, {e\ ©62) is defined to be the dependent term whose 
first component is an application (using @) formed from the first components of ei and e2, 
and whose second component is formed from the proof components of e\ and 62- 

Instead of defining a general lambda operator, a version of Ibind that does not rely on 
classical constructs is defined for each OL. Roughly, (Ibind e) is obtained by applying e to 
a new free variable and then replacing it with de Bruijn index 0. A new variable for a term e 
of type expr expr is defined by adding 1 to the maximum index in subterms of the form 
(VAR x) in (e(BND 0)). Note that terms that do not satisfy abstr may have a different set of 
free variables for every argument, but for those which do satisfy abstr, choosing (BND 0) 
as the argument to which e is applied does give an authentic free variable. Replacing free 
variable (VAR n) in (e(VAR «)) with (BND 0) involves defining a substitution operator that 
increases bound indices as appropriate as it descends through ABS operators. This descrip- 
tion of Ibind is informal and hides the fact that these definitions are actually given on depen- 
dent pairs, i.e., e has type exp/ — > exp/ . Thus, the definition of Ibind depends on the OL 
because exp/ is defined for each OL. Induction and recursion are also defined directly on 
type exp/. To obtain a recursion principle, it is shown that for any type t, a function f of 
type exp/ t can be defined by specifying its results on each "constructor" of the OL. For 
example, for the @ and fun cases of Mini-ML, defining f involves defining Happ and Hfun 
of the following types: 

Happ : exp/ expr' B ^ B ^ B 
Hfun : {exp/ — > expr') B ^ B 

and then the following reduction equations hold. 

f(ei@e2) = Happei 62 (fei) (fe2) 
f(funAx. /x) = Hfun(canon(A.v:. /A:))(f (Ibind {Xx. fx))) 

In these equations we oversimplify, showing functions f, Happ, and Hfun applied to terms 
of type expr, in the actual equations, proofs paired with terms on the left are used to build 
proofs of terms appearing on the right. The canon function in the equation for fun uses 
another substitution operator to obtain a "canonical form," computed by replacing de Bruijn 
index in (Ibind {Xx. fx)) withz. This function is the identity function on terms that satisfy 
abstr. 

Another version of constructive Hybrid [17] in Coq has been proposed, in which theo- 
rems such as induction and recursion principles are proved once at a general level, and then 
can be applied directly to each OL. An OL is specified by a signature, which can include sets 
of sorts, operation names, and even built-in typing rules. A signature specifies the binding 
structure of the operators, and the recursion and induction principles are formulated directly 
on the higher-order syntax. 
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Hybrid 0.2. During the write-up of this report, the infrastructure of Hybrid has developed 
significantly, thanks to the work by Alan Martin (see [80]), so that we informally talk of 
Hybrid 0.2. Because those changes have been recent and only relatively influence the two- 
level approach, we have decided not to update the whole paper, but mention here the relevant 
differences. 

The main improvement concerns an overall reorganization of the infrastructure de- 
scribed in Section 2, based on the internalization as a type of the set of proper terms. Using 
Isabelle/HOL's typedef mechanism, the type prpr is defined as a bijective image of the set 
{s :: expr \ level 0.s }, with inverse bijections expr : : prpr =^ expr and prpr : : expr prpr. In 
effect, typedef makes prpr a subtype of expr, but since Isabelle/HOL's type system does not 
have subtyping, the conversion function must be explicit. Now that OL terms can only be 
well-formed de Bruijn terms, we can replace the proper jabst property (MC -Lemma 3) with 
the new lemma 

MC-Lemma 34 (abstr .const) 

abstr [Xv.t :: prpr) 

From the standpoint of two-level reasoning this lemma allows us to dispose of all proper 
assumptions: in particular the SL universal quantification has type (prpr =^ oo) => oo and 
the relative SL clause (Figure 5) becomes: 

[[Vjc. ri>„(Gj<:)]] =^ ri>„+i (allx.Gjc) 

Therefore, in the proof of MC-Lemma 23 no proper assumptions are generated. The proof of 
OL Subject Reduction (MC-Theorem 24) does not need to appeal to property (3) or, more 
importantly, to part 1 of MC-Lemma 14. While this is helpful, it does not eliminate the 
need for adding well-formedness annotations in OL judgments for the sake of establishing 
adequacy of the encoding. 

Further, a structural definition of abstraction allows us to state the crucial quasi- 
injectivity property of the Hybrid binder LAM, strengthening MC-Theorem 4 by requiring 
only one of e and / to satisfy this condition (instead of both), thus simplifying the elimina- 
tion rules for inductively defined OL judgments: 

MC-Theorem 35 (strongJambda_inject) 

abstr {LAMx.ex= LAM v./y) = {e = f) 

The new definition allows us to drop abstr_tac for plain Isabelle/HOL simplification, and 
the same applies, a fortiori to proper_tac. 

A significant case study using this infrastructure has being tackled by Alan Martin 
[64, 65] and consists of an investigation of the meta-theory of a functional programming 
language with references using a variety of approaches, culminating with the usage of a lin- 
early ordered SL. This study extends the work in Section 5 and [81], as well as offering a 
different encoding of Mini-ML with references than the one analyzed with a linear logical 
framework [20].*^^ 

Martin's forthcoming doctoral thesis [64] also illustrates that it is possible to use alter- 
nate techniques for induction at the SL level. Instead of natural number induction, some 
proofs of the case study are carried out by structural induction on the definition of the SL. In 



- We remark that this approach seems to be exempt from the problems connected to verifying meta- 
theoretical sub-structural properties in LF-style, as pointed out in [102]. 
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these proofs, it was necessary to strengthen the desired properties to properties of arbitrary 
sequents, and to define specialized weakening operators for contexts along with lemmas 
supporting reasoning in such contexts. It is not clear how well this technique generalizes; 
this is the subject of future work. In another technique, natural numbers are replaced by 
ordinals in the definition of the SL, and natural number induction is replaced by transfinite 
induction. This technique is quite general and simplifies proofs by induction that involve 
relating the proof height of one derivation in the SL to one or more others. 

Induction over Open Tenns In this paper's examples, proofs by induction over derivations 
were always on closed judgment such as evaluation, be it encoded as a direct inductive def- 
inition at the meta-level or as prog clauses used by the SL. In both cases, this judgment was 
encoded without the use of hypothetical and parametric judgments, and thus induction was 
over closed terms, although we essentially used case analysis on open terms. Inducting over 
open terms and hypothetical judgments is a challenge that has required major theoretical 
work [43, 103]. Statements have to be generalized to non-empty contexts, and these contexts 
have to be of a certain form, which must enforce the property in question. In [37] we showed 
how to accomplish this in Hybrid with only a surprisingly minimal amount of additional in- 
frastructure: we can use the VAR constructor to encode free variables of OLs, and simply 
add a definition (newvar) that provides the capability of creating a variable which is fresh, 
in particular w.r.t. a context. We express the induction hypothesis as a "context invariant," 
which is a property that must be preserved when adding a fresh variable to the context. The 
general infrastructure we build is designed so that it is straightforward to express context in- 
variants and prove that they are preserved when adding a fresh variable. Very little overhead 
is required, namely a small library of simple lemmas, where no reasoning about substitu- 
tion or a-conversion is needed as in first-order approaches. Yet the reasoning power of the 
system and the class of properties that can be proved is significantly increased. 



7 Conclusions and Future Work 

We have presented a multi-level architecture that allows reasoning about objects encoded 
using HOAS in well-known systems such as Isabelle/HOL and Coq that implement well- 
understood logics. The support for reasoning includes induction and co-induction as well as 
various forms of automation available in such systems such as tactical-style reasoning and 
decision procedures. We have presented several examples of its use, including an arguably 
innovative case study. As we have demonstrated, there are a variety of advantages of this 
kind of approach: 

- It is possible to replicate in a well-understood and interactive setting the style of proof 
used in systems such as Line designed specially for reasoning using higher-order encod- 
ings. The reasoning can be done in such a way that theorems such as subject reduction 
proofs are proven without "technical" lemmas foreign to the mathematics of the prob- 
lem. 

- Results about the intermediate layer of specification logics, such as cut elimination, are 
proven once and for all; in fact it is possible to work with different specification logics 
without changing the infrastructure. 

- It is possible to use this architecture as a way of "fast prototyping" HOAS logical frame- 
works since we can quickly implement and experiment with a potentially interesting SL, 
rather than building a new system from scratch. 
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Since our architecture is based on a very small set of theories that definitionally builds 
an HOAS meta-language on top of a standard proof-assistant, this allows us to do without 
any axiomatic assumptions, in particular freeness of HOAS constructors and extensionality 
properties at higher-order types, which in our setting are now theorems. Furthermore, we 
have shown that mixing of meta-level and OL specifications make proofs more easily mech- 
anizable. Finally, by the simple reason that the Hybrid system sits on top of Isabelle/HOL 
or Coq, we benefit from the higher degree of automation of the latter. 

Some of our current and future work will concentrate on the practical side, such as con- 
tinuing the development and the testing of the new infrastructure to which we have referred 
as Hybrid 0.2 (see Section 6.5 and [80]), especially to exploit the new features offered by 
Isabelle/HOL 2010. Further, we envisage developing a package similar in spirit to Urban's 
nominal datatype package for Isabelle/HOL [85]. For Hybrid, such a package would auto- 
matically supply a variety of support from a user specification of an OL, such as validity 
predicates like isterm, a series of theorems expressing freeness of the constructors of such 
a type including injectivity and clash theorems, and an induction principle on the shape of 
expressions analogous to MC -Theorem 6. To work at two levels, such a package would in- 
clude a number of pre-compiled SLs (including cut-elimination proofs and other properties) 
as well as some lightweight tactics to help with two-level inference. Ideally, the output of 
the package could be in itself generated by a tool such as OTT ( [108]) so as to exploit the 
tool's capabilities of supporting work on large programming language definitions, where 
"the scale makes it hard to keep a definition internally consistent, and hard to keep a tight 
correspondence between a definition and implementations", op. cit. 

We clearly need to explore how general our techniques for induction over open terms 
[37] are, both by attempting other typical case studies such as the POPLMark challenge or 
the Church-Rosser theorem, as well as analyzing the relationship with theoretical counter- 
part such as the regular world assumptions and context invariants in Abella. This may also 
have the benefit of a better understanding and "popularization" of proofs in those less known 
frameworks. In Twelf, in particular, much of the work in constructing proofs is currently 
handled by an external check for properties such as termination and coverage [92, 106]. We 
are investigating Hybrid as the target of a sort of "compilation" of such proofs into the well- 
understood higher-order logic of Isabelle/HOL. More in-depth comparisons with nominal 
logic ideas such as freshness and the Gabbay-Pitts quantifier are also in order. In fact, any 
concrete representation of bound variables does not fit well with HOAS, where the former 
have no independent identities. However, there are relevant applications (e.g., mismatch in 
the ;r-calculus, see [22] for other examples) where names of bound variables do matter. 
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